using Multiple client certificates

RE: using Multiple client certificates

Hi Jason,

As for the HttpWebRequest, though it has provide a Certificate Collection
property for multiple X509 certificates, when the component actual send
request and establish SSL connection with the serverside, only one of them
will be used and sent to serverside. So the server applcation (IIS or
ASP.NET) will only see single client certificate. And by default IIS
dosn't have any particular checking on the client certificate , but we can
add restrcition on clientside certificate(use the IIS's trusted certificate
List) , thus if the clientside certificate(its CA) dosn't meet the
requirement, the secuire connection establishing will fail.

So generally, only one client certificate is enough as long as its a
qualified one for serverside. Also, when we visist a SSL protected
page(which require client certificate) in IE browser, the browser will
popup the dialog to let the client user choose a certain client certificate
for sending to server.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)





--------------------
From: <jason.chen@new sgroups.nospam>
Subject: using Multiple client certificates
Date: Wed, 12 Oct 2005 19:10:27 -0400
Lines: 15
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.326
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
Message-ID: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
microsoft.publi c.dotnet.framew ork.webservices :8203
X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices

Hi all,
HttpWebRequest, and SoapHttpClientP rotocol both expose a
ClientCertifica tes property, which can hold multiple client certificates,
but on the service side, it can only receive one client certificate, since
it derives System.Web.Serv ices.WebService class, and it's
Context.Request .ClientCertific ate is a single HttpClientCerti ficate object,
is there a way to receive all the client certificates that is sent in the
request? or does IIS automatically decide which client certificate to use
during the SSL handshake? if so, is there a way to control which client
certificate to use during the SSL handshake?

thanks,
-Jason

Re: using Multiple client certificates

Hi Steven,
thanks, so when there are multiple client certificates added to
HttpWebRequest, how does IIS and the client figure out which one to pick?
will IIS randomly pick one? is there any way I can control which one will be
picked?

thanks,
-Jason

"Steven Cheng[MSFT]" <stcheng@online .microsoft.com> wrote in message
news:mg2r2l8zFH A.3908@TK2MSFTN GXA01.phx.gbl.. .[color=blue]
> Hi Jason,
>
> As for the HttpWebRequest, though it has provide a Certificate Collection
> property for multiple X509 certificates, when the component actual send
> request and establish SSL connection with the serverside, only one of them
> will be used and sent to serverside. So the server applcation (IIS or
> ASP.NET) will only see single client certificate. And by default IIS
> dosn't have any particular checking on the client certificate , but we can
> add restrcition on clientside certificate(use the IIS's trusted[/color]
certificate[color=blue]
> List) , thus if the clientside certificate(its CA) dosn't meet the
> requirement, the secuire connection establishing will fail.
>
> So generally, only one client certificate is enough as long as its a
> qualified one for serverside. Also, when we visist a SSL protected
> page(which require client certificate) in IE browser, the browser will
> popup the dialog to let the client user choose a certain client[/color]
certificate[color=blue]
> for sending to server.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
>
>
>
> --------------------
> From: <jason.chen@new sgroups.nospam>
> Subject: using Multiple client certificates
> Date: Wed, 12 Oct 2005 19:10:27 -0400
> Lines: 15
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> Message-ID: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
> Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
> NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
> Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
> Xref: TK2MSFTNGXA01.p hx.gbl
> microsoft.publi c.dotnet.framew ork.webservices :8203
> X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices
>
> Hi all,
> HttpWebRequest, and SoapHttpClientP rotocol both expose a
> ClientCertifica tes property, which can hold multiple client certificates,
> but on the service side, it can only receive one client certificate, since
> it derives System.Web.Serv ices.WebService class, and it's
> Context.Request .ClientCertific ate is a single HttpClientCerti ficate[/color]
object,[color=blue]
> is there a way to receive all the client certificates that is sent in the
> request? or does IIS automatically decide which client certificate to use
> during the SSL handshake? if so, is there a way to control which client
> certificate to use during the SSL handshake?
>
> thanks,
> -Jason
>
>
>[/color]

Re: using Multiple client certificates

Hi Jason,

Thanks for the response.
When there're multiple client certificates added to HttpWebRequest, the
webrequest component will send only one of them to IIS server. So IIS won't
know how many certificates we provided in the clientside HttpWebRequest
components since IIS server only receive one client certificate. In
addition, as for how the HTTPWebRequest choose the client certificate, it
is undocumented currently , so we can not rely on this behavior, I think
the normal behavior should be choosing the first one in the collection.
Anyway, I don't think the httpwebrequest will loop through all the
certificates and try all of them until find the one that match the
requirement. So when usign HttpWebRequest which need to send client
certificate, we should always attach the qualified certificate at the first
time.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)


--------------------
From: <jason.chen@new sgroups.nospam>
References: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
<mg2r2l8zFHA.39 08@TK2MSFTNGXA0 1.phx.gbl>
Subject: Re: using Multiple client certificates
Date: Thu, 13 Oct 2005 15:06:28 -0400
Lines: 80
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.326
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
Message-ID: <OQtw0kC0FHA.12 56@TK2MSFTNGP09 .phx.gbl>
Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
microsoft.publi c.dotnet.framew ork.webservices :8215
X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices

Hi Steven,
thanks, so when there are multiple client certificates added to
HttpWebRequest, how does IIS and the client figure out which one to pick?
will IIS randomly pick one? is there any way I can control which one will be
picked?

thanks,
-Jason

"Steven Cheng[MSFT]" <stcheng@online .microsoft.com> wrote in message
news:mg2r2l8zFH A.3908@TK2MSFTN GXA01.phx.gbl.. .[color=blue]
> Hi Jason,
>
> As for the HttpWebRequest, though it has provide a Certificate Collection
> property for multiple X509 certificates, when the component actual send
> request and establish SSL connection with the serverside, only one of them
> will be used and sent to serverside. So the server applcation (IIS or
> ASP.NET) will only see single client certificate. And by default IIS
> dosn't have any particular checking on the client certificate , but we can
> add restrcition on clientside certificate(use the IIS's trusted[/color]
certificate[color=blue]
> List) , thus if the clientside certificate(its CA) dosn't meet the
> requirement, the secuire connection establishing will fail.
>
> So generally, only one client certificate is enough as long as its a
> qualified one for serverside. Also, when we visist a SSL protected
> page(which require client certificate) in IE browser, the browser will
> popup the dialog to let the client user choose a certain client[/color]
certificate[color=blue]
> for sending to server.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
>
>
>
> --------------------
> From: <jason.chen@new sgroups.nospam>
> Subject: using Multiple client certificates
> Date: Wed, 12 Oct 2005 19:10:27 -0400
> Lines: 15
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> Message-ID: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
> Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
> NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
> Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
> Xref: TK2MSFTNGXA01.p hx.gbl
> microsoft.publi c.dotnet.framew ork.webservices :8203
> X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices
>
> Hi all,
> HttpWebRequest, and SoapHttpClientP rotocol both expose a
> ClientCertifica tes property, which can hold multiple client certificates,
> but on the service side, it can only receive one client certificate, since
> it derives System.Web.Serv ices.WebService class, and it's
> Context.Request .ClientCertific ate is a single HttpClientCerti ficate[/color]
object,[color=blue]
> is there a way to receive all the client certificates that is sent in the
> request? or does IIS automatically decide which client certificate to use
> during the SSL handshake? if so, is there a way to control which client
> certificate to use during the SSL handshake?
>
> thanks,
> -Jason
>
>
>[/color]

Re: using Multiple client certificates

I see. thanks steven.

"Steven Cheng[MSFT]" <stcheng@online .microsoft.com> wrote in message
news:g#JfptG0FH A.3772@TK2MSFTN GXA01.phx.gbl.. .[color=blue]
> Hi Jason,
>
> Thanks for the response.
> When there're multiple client certificates added to HttpWebRequest, the
> webrequest component will send only one of them to IIS server. So IIS[/color]
won't[color=blue]
> know how many certificates we provided in the clientside HttpWebRequest
> components since IIS server only receive one client certificate. In
> addition, as for how the HTTPWebRequest choose the client certificate, it
> is undocumented currently , so we can not rely on this behavior, I think
> the normal behavior should be choosing the first one in the collection.
> Anyway, I don't think the httpwebrequest will loop through all the
> certificates and try all of them until find the one that match the
> requirement. So when usign HttpWebRequest which need to send client
> certificate, we should always attach the qualified certificate at the[/color]
first[color=blue]
> time.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
> --------------------
> From: <jason.chen@new sgroups.nospam>
> References: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
> <mg2r2l8zFHA.39 08@TK2MSFTNGXA0 1.phx.gbl>
> Subject: Re: using Multiple client certificates
> Date: Thu, 13 Oct 2005 15:06:28 -0400
> Lines: 80
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> Message-ID: <OQtw0kC0FHA.12 56@TK2MSFTNGP09 .phx.gbl>
> Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
> NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
> Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
> Xref: TK2MSFTNGXA01.p hx.gbl
> microsoft.publi c.dotnet.framew ork.webservices :8215
> X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices
>
> Hi Steven,
> thanks, so when there are multiple client certificates added to
> HttpWebRequest, how does IIS and the client figure out which one to pick?
> will IIS randomly pick one? is there any way I can control which one will[/color]
be[color=blue]
> picked?
>
> thanks,
> -Jason
>
> "Steven Cheng[MSFT]" <stcheng@online .microsoft.com> wrote in message
> news:mg2r2l8zFH A.3908@TK2MSFTN GXA01.phx.gbl.. .[color=green]
> > Hi Jason,
> >
> > As for the HttpWebRequest, though it has provide a Certificate[/color][/color]
Collection[color=blue][color=green]
> > property for multiple X509 certificates, when the component actual send
> > request and establish SSL connection with the serverside, only one of[/color][/color]
them[color=blue][color=green]
> > will be used and sent to serverside. So the server applcation (IIS or
> > ASP.NET) will only see single client certificate. And by default IIS
> > dosn't have any particular checking on the client certificate , but we[/color][/color]
can[color=blue][color=green]
> > add restrcition on clientside certificate(use the IIS's trusted[/color]
> certificate[color=green]
> > List) , thus if the clientside certificate(its CA) dosn't meet the
> > requirement, the secuire connection establishing will fail.
> >
> > So generally, only one client certificate is enough as long as its a
> > qualified one for serverside. Also, when we visist a SSL protected
> > page(which require client certificate) in IE browser, the browser will
> > popup the dialog to let the client user choose a certain client[/color]
> certificate[color=green]
> > for sending to server.
> >
> > Thanks,
> >
> > Steven Cheng
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >
> >
> >
> >
> >
> > --------------------
> > From: <jason.chen@new sgroups.nospam>
> > Subject: using Multiple client certificates
> > Date: Wed, 12 Oct 2005 19:10:27 -0400
> > Lines: 15
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > Message-ID: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
> > Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
> > NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
> > Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
> > Xref: TK2MSFTNGXA01.p hx.gbl
> > microsoft.publi c.dotnet.framew ork.webservices :8203
> > X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices
> >
> > Hi all,
> > HttpWebRequest, and SoapHttpClientP rotocol both expose a
> > ClientCertifica tes property, which can hold multiple client[/color][/color]
certificates,[color=blue][color=green]
> > but on the service side, it can only receive one client certificate,[/color][/color]
since[color=blue][color=green]
> > it derives System.Web.Serv ices.WebService class, and it's
> > Context.Request .ClientCertific ate is a single HttpClientCerti ficate[/color]
> object,[color=green]
> > is there a way to receive all the client certificates that is sent in[/color][/color]
the[color=blue][color=green]
> > request? or does IIS automatically decide which client certificate to[/color][/color]
use[color=blue][color=green]
> > during the SSL handshake? if so, is there a way to control which client
> > certificate to use during the SSL handshake?
> >
> > thanks,
> > -Jason
> >
> >
> >[/color]
>
>
>[/color]

Re: using Multiple client certificates

You're welcome Jason,

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
From: <jason.chen@new sgroups.nospam>
References: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
<mg2r2l8zFHA.39 08@TK2MSFTNGXA0 1.phx.gbl>
<OQtw0kC0FHA.12 56@TK2MSFTNGP09 .phx.gbl>
<g#JfptG0FHA.37 72@TK2MSFTNGXA0 1.phx.gbl>
Subject: Re: using Multiple client certificates
Date: Fri, 14 Oct 2005 14:10:19 -0400
Lines: 142
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.3790.326
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
Message-ID: <#kPoKqO0FHA.72 0@TK2MSFTNGP15. phx.gbl>
Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP15.phx. gbl
microsoft.publi c.dotnet.framew ork.webservices :8233
X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices

I see. thanks steven.

"Steven Cheng[MSFT]" <stcheng@online .microsoft.com> wrote in message
news:g#JfptG0FH A.3772@TK2MSFTN GXA01.phx.gbl.. .[color=blue]
> Hi Jason,
>
> Thanks for the response.
> When there're multiple client certificates added to HttpWebRequest, the
> webrequest component will send only one of them to IIS server. So IIS[/color]
won't[color=blue]
> know how many certificates we provided in the clientside HttpWebRequest
> components since IIS server only receive one client certificate. In
> addition, as for how the HTTPWebRequest choose the client certificate, it
> is undocumented currently , so we can not rely on this behavior, I think
> the normal behavior should be choosing the first one in the collection.
> Anyway, I don't think the httpwebrequest will loop through all the
> certificates and try all of them until find the one that match the
> requirement. So when usign HttpWebRequest which need to send client
> certificate, we should always attach the qualified certificate at the[/color]
first[color=blue]
> time.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>
> --------------------
> From: <jason.chen@new sgroups.nospam>
> References: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
> <mg2r2l8zFHA.39 08@TK2MSFTNGXA0 1.phx.gbl>
> Subject: Re: using Multiple client certificates
> Date: Thu, 13 Oct 2005 15:06:28 -0400
> Lines: 80
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> Message-ID: <OQtw0kC0FHA.12 56@TK2MSFTNGP09 .phx.gbl>
> Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
> NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
> Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
> Xref: TK2MSFTNGXA01.p hx.gbl
> microsoft.publi c.dotnet.framew ork.webservices :8215
> X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices
>
> Hi Steven,
> thanks, so when there are multiple client certificates added to
> HttpWebRequest, how does IIS and the client figure out which one to pick?
> will IIS randomly pick one? is there any way I can control which one will[/color]
be[color=blue]
> picked?
>
> thanks,
> -Jason
>
> "Steven Cheng[MSFT]" <stcheng@online .microsoft.com> wrote in message
> news:mg2r2l8zFH A.3908@TK2MSFTN GXA01.phx.gbl.. .[color=green]
> > Hi Jason,
> >
> > As for the HttpWebRequest, though it has provide a Certificate[/color][/color]
Collection[color=blue][color=green]
> > property for multiple X509 certificates, when the component actual send
> > request and establish SSL connection with the serverside, only one of[/color][/color]
them[color=blue][color=green]
> > will be used and sent to serverside. So the server applcation (IIS or
> > ASP.NET) will only see single client certificate. And by default IIS
> > dosn't have any particular checking on the client certificate , but we[/color][/color]
can[color=blue][color=green]
> > add restrcition on clientside certificate(use the IIS's trusted[/color]
> certificate[color=green]
> > List) , thus if the clientside certificate(its CA) dosn't meet the
> > requirement, the secuire connection establishing will fail.
> >
> > So generally, only one client certificate is enough as long as its a
> > qualified one for serverside. Also, when we visist a SSL protected
> > page(which require client certificate) in IE browser, the browser will
> > popup the dialog to let the client user choose a certain client[/color]
> certificate[color=green]
> > for sending to server.
> >
> > Thanks,
> >
> > Steven Cheng
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >
> >
> >
> >
> >
> > --------------------
> > From: <jason.chen@new sgroups.nospam>
> > Subject: using Multiple client certificates
> > Date: Wed, 12 Oct 2005 19:10:27 -0400
> > Lines: 15
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > X-Newsreader: Microsoft Outlook Express 6.00.3790.326
> > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326
> > Message-ID: <OwuNjI4zFHA.26 8@TK2MSFTNGP09. phx.gbl>
> > Newsgroups: microsoft.publi c.dotnet.framew ork.webservices
> > NNTP-Posting-Host: a7cebc03.cst.li ghtpath.net 167.206.188.3
> > Path: TK2MSFTNGXA01.p hx.gbl!TK2MSFTN GP08.phx.gbl!TK 2MSFTNGP09.phx. gbl
> > Xref: TK2MSFTNGXA01.p hx.gbl
> > microsoft.publi c.dotnet.framew ork.webservices :8203
> > X-Tomcat-NG: microsoft.publi c.dotnet.framew ork.webservices
> >
> > Hi all,
> > HttpWebRequest, and SoapHttpClientP rotocol both expose a
> > ClientCertifica tes property, which can hold multiple client[/color][/color]
certificates,[color=blue][color=green]
> > but on the service side, it can only receive one client certificate,[/color][/color]
since[color=blue][color=green]
> > it derives System.Web.Serv ices.WebService class, and it's
> > Context.Request .ClientCertific ate is a single HttpClientCerti ficate[/color]
> object,[color=green]
> > is there a way to receive all the client certificates that is sent in[/color][/color]
the[color=blue][color=green]
> > request? or does IIS automatically decide which client certificate to[/color][/color]
use[color=blue][color=green]
> > during the SSL handshake? if so, is there a way to control which client
> > certificate to use during the SSL handshake?
> >
> > thanks,
> > -Jason
> >
> >
> >[/color]
>
>
>[/color]