Skip navigation

Using CTLs to Restrict Web Site Access

I want to restrict access to a portion of my Web site so that only those users to whom I issue a certificate can access the site. My suppliers will then be able to access my purchase-order system without having to authenticate. I know that you can use this configuration with Active Server Pages (ASP) applications, but can you configure IIS to accept connections from clients that present a client certificate that I issued?

Yes. You can use a certificate trust list (CTL) to restrict access to site content to only those clients that can present a certificate from a designated Certificate Authority (CA)—in this case, your certificate server.

Setting up a CTL is easy, and you can do it in both IIS 5.0 and IIS 4.0. I focus on the IIS 5.0 process. First, you need to enable Secure Sockets Layer (SSL) on your Web site. The property pages that you need to access to configure a CTL aren't available until you've installed a certificate on the Web site. (For detailed instructions about installing a certificate on IIS 5.0, see the Microsoft article "HOWTO: Set Up SSL Using IIS 5.0 and Certificate Server 2.0" at .com/default.aspx?scid=kb;en-us;q299525. For a walk-through of certificate installation on IIS 4.0 machines, see my article "How to Install SSL—Part 1: The New Key Request" at key_request.htm.)

After you've installed the server certificate, you can create the CTL. Access the Web site's Properties dialog box, then click the Directory Security tab. Click Edit under Secure Communications. (Note that the Edit button isn't enabled unless you've installed a certificate on the site.) On the Secure Communications dialog box, which Figure 2, page 7, shows, select the Enable certificate trust list check box, then click New to launch the Certificate Trust List Wizard. When the wizard starts, click Next, then click Add from Store to select the certificate that you want to require for access to the Web site, as Figure 3 shows. Click OK twice; the selected certificate will appear in the Current CTL certificates list. Click Next, then type the friendly name for the CTL. (The friendly name is used only for your reference in the UI.) Click Next, click Finish, then click OK.

Next, you need to provide instructions to your clients about how to request a certificate from your certificate server (or the CA that you designated in the CTL). Microsoft Certificate Server for Windows 2000 and Windows NT includes a Web-based application that makes this process fairly easy. Detailing the step-by-step process for requesting and installing a client certificate is beyond the scope of this answer, but the process is similar to requesting and installing a server certificate. Simply connect to http://certficateservername/certsrv, where certificateservername is the name of the Web server that's hosting the certificate server, and complete the forms you see there.

Now, when IIS receives a request for access to this Web site's content, the server will query the client's certificate and verify that the designated certificate server issued the certificate. You can combine CTLs with other forms of authentication if you want to provide greater security.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.