I have a unique situation where I need to implement client certificate authentication via HTTPS between the IE browser and IIS 6. The browser and IIS are separated by a firewall that allows the browser to connect to IIS on the SSL port.
We have an internal certificate server on the same network as IIS. I created an SSL server certificate for IIS and installed. I configured IIS to only allow SSL, require client certificates.
The restriction is here: the browser is on a disconnected network, so I can’t go to the CA http: // caserver / CertSrv URL and request a client certificate , as usual.
I realized if there was a way to create a CSR for the Root CA public key, I can copy it to the CA server to create the client certificate. But it seems that there are no provisions in IE or in MMC certificates. It seems that MMC certificates require a direct connection to the CA.
Has anyone solved this before?
FYI. All referenced servers start Windows Server 2003.
Update: Thanks to Jonas Oberschweiber and Mark Sutton for pointing out the CertReq.exe command-line tool. Using this, I created a CSR and therefore a client certificate that is successfully installed. However, IE does not seem to send this client certificate when accessing the IIS server in question; it still generates 403.7 "Forbidden: SSL client certificate". I suspect that the reason is that the Subject field of the client certificate does not match the user ID of the account running IE, so it may not send a mismatched client certificate. The object is the same as the username I used to send the CSR and generated a client certificate at the other end of the firewall.
Subject? - , , IE ?