Hi guys
We have a server in our DMZ I'd like to use client certificates on. The client certificate will be downloaded from our server NOT in the DMZ. Here's what I've got configured so far:
- Generated an IIS server certificate request from DMZ server.
- Completed the certificate request using our internal Windows 2008 R2 Certificate Services server.
- Completed the certificate request on our IIS DMZ server
- Added the certificate issuer (our internal certificate server) to Trusted Root Certificate Authorities on the DMZ server
- Downloaded a client certificate from our internal certificate services server on my workstation.
- Exported and installed my client certificate to the DMZ server, installing in the personla certificates store
When I attempt to browse the site from the server itself, I'm prompted to select my exported personal certificate but receive a 403.13 - Forbidden message. If I attemtp to access the same site from my workstation (not in the DMZ) I'm again presented with a list of client certificates the server trusts but receive a more general 403 - Forbidden: Access is denied.
Whether I test from the server itself or from my non DMZ workstation, IE is presenting a list of client certificates. This tells me the IIS server has presented a list of trusted root certificates it has and my IE client has inspected this list and found a client certificate issued by the same CA found in its trusted root certificate authorities. It's failing after I select a client cert with a 403.13 error.
I Googled the error and found this:
<div class="kb_errorcontent"> <div class="errormsg">403.13 - Client certificate revoked</div> </div>This error message means that the client sent a certificate, but either the certificate shows up as revoked in the issuing authority's Certificate Revocation List or the server could not retrieve a CRL from the issuing authority.
As our certificate server is not in the DMZ, I'm wondering if this is the issue. As far as I can tell, everything else has been configured properly. Without making our certificate server available to the DMZ, is there a way to accomplish what I'm after? This is for a small, one off project.
Tks