Browser is not prompting for a client certificate

Question

Background:

I am updating an internal application to a two-step authentication process. I want to add a client certificate authentication process

Answer 1

In every browser I've seen, the browser will not prompt you to select a certificate if it does not have any certificates signed by a CA the server trusts. So make sure your server is configured with the correct CAs. As Boklucius suggested, you can use openssl to examine the list of trusted CAs your server is sending to clients and see whether the CA you have signed your client certificates with is among them.

Answer 2

Try openssl s_client -connect yourip:443 -prexit And see if the CA (your self signed cert) is send to the client in the Acceptable client certificate CA names.

you need to install openssl first if you don't have it

Answer 3

To add a rather painful lesson to the mix: Make sure you quit Skype (or any other application) that eats port 443.

So the idea here is if you are running a dev environment on the same machine (both client and IIS), and your team uses Skype or some other app to communicate.

Watch the hours go by as you try and debug this problem, seemingly doing everything "right", netsh http sslcerts and such, even rebooting but to no avail. Well, turns out Skype will eat 443 so turn it off and "poof" there goes your certificate prompt.

Then feel free to throw things at the wall, shout obscenities or just "Rage, rage against the dying of the light".

Answer 4

Your problem is that the browser doesn't either get the request to provide client certificate or there is a security related option to block it from happening. IE offers certificate only if the web site is in correct zone (intranet or trusted sites). Please check this before everything.

If that doesn't help then see this answer for next step. The netsh documentation says:

clientcertnegotiation
Optional. Specifies whether the negotiation of certificate is enabled or disabled. Default is disabled.

Enable that and even the dumbest browser should notice that it is supposed to offer certificate for authentication. To diagnose your problem further you can use WireShark to see the negotiation in action.

Answer 5

Also, make sure Fiddler isn't getting in the way. If you have it decrypting the SSL, it'll corrupt the message back to IE, and it doesn't have the certificate installed, so it can't offer it. Turn off fiddler, and voila, the certificate prompt appears.

Answer 6

I'll throw in a "try restarting the browser" suggestion, particularly if you installed the certificate while the browser was running.