Generating SSL/TLS Client Certificates
If you also want to strongly authenticate your SSL/TLS clients by using certificates on the browser side, you should deploy SSL/TLS client certificates to your users' browsers. Not all organizations want to do this. A typical scenario requiring SSL/TLS client certificates is a secure extranet Web site.
As with server certificates, you can request a client SSL/TLS certificate from an internal or external CA. If you're using a Windows Server 2003-rooted PKI, users can request certificates by using their MMC Certificates snap-in or the CA's Web interface (e.g., http://servername/certsrv). Administrators can also automatically enroll users for SSL/TLS certificates by using the Autoenrollment Group Policy Object (GPO) settings.
Ensuring That SSL Clients Trust the CA Certificate
An important, but often forgotten last step is to make sure that your clients trust the certificate from the CA that issued the client and server SSL/TLS certificates. In Windows, this means making sure that the CA's certificate is stored in the client's trusted root certificate store. To look at the contents of a certificate store, open the Certificates snap-in.
Trust isn't a concern when you're using certificates issued by a commercial-CA. The CA certificates of commonly used commercial CAs (e.g., VeriSign and Thawte) come with the Windows OS software and by default are trusted. CA certificate trust is an issue if you're using certificates generated by an internal PKI that's run by your company or a partner organization. In this case, you can use one of three methods to add server and client certificates to a user's trusted root certificate stores:
- Use the Internet Explorer Administration Kit (IEAK) to create an IE installation kit that adds a CA certificate to the trusted root certificate store.
- Put the CA's certificate on a publicly accessible Web site where users can download it.
- Distribute the CA's certificate by using the Trusted Root Certification Authorities GPO setting.
Although support for SSL/TLS is a common feature provided with today's Web servers and browsers, as you can see, setting it up correctly isn't a trivial task.