ASP and ASP.NET have a pretty easy mechanism to work with client certificates that a browser has handed to the web server. All it takes is this little piece of code:
plus or minus the square brackets and semi-colon. This will read and print the value of the issuer of the certificate. There are a lot more values to be read from the certificate, such as ValidFrom and ValidTo.
Client certificates are another way to authenticate a user besides a username and password. It provides an additional way to make the user prove they are really who they say they are. Also, because certificates are installed per machine it is not so easy to transfer it from one user/computer to another. At least not as easy as a username/password combination.
You will notice when a server asks or demands a certificate from a requesting browser, because you are prompted by this dialog:
It is not so easy to get the browser to prompt for a certificate that it will send to the web server. I found that there is hardly any relevant information to be found for developers on this topic. The next couple of blog entries will describe what you need to do to work with client certificates in ASP.NET.
- Preparing IIS 5.x or 6.0 with a server certificate
- Configure IIS for client certificates
- Request and install a client certificate on the browsing computer
- The need for Trusted Root Certificate Authorities
- Certificate Revocation Lists and Internet Information Server 5.x
I will update this post as more entries appear.