Make IIS require SSL client certificate during initial handshake

by

Here’s how I did this, on IIS 7.5:

  1. Run the following in an admin command prompt: netsh http show sslcert

  2. Save the output in a text file. Will look something like this:

    IP:port                 : 0.0.0.0:443
Certificate Hash        : [a hash value]
Application ID          : {[a GUID]}
Certificate Store Name  : MY
Verify Client Certificate Revocation    : Enabled
Verify Revocation Using Cached Client Certificate Only    : Disabled
Usage Check    : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout   : 0
Ctl Identifier          : (null)
Ctl Store Name          : (null)
DS Mapper Usage    : Disabled
Negotiate Client Certificate    : Disabled

  3. Create a batch file using that info: 

    netsh http show sslcert
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=[your cert hash from above] appid={[your GUID from above]} certstorename=MY verifyclientcertrevocation=enable VerifyRevocationWithCachedClientCertOnly=disable UsageCheck=Enable clientcertnegotiation=enable
netsh http show sslcert

    (Yes, you have to delete and re-add; you can’t just alter clientcertnegotiation in-place. That’s why it’s important to save the hash and GUID, so it knows what to re-add.)

  4. Run that batch file, check for any errors, done.

Keep in mind that this setting is applied per-certificate, not per-server. So if you use multiple certs, or change/update your cert, you will have to do this again.

More Related Contents:

  1. Using makecert for Development SSL
  2. How do I configure IIS for URL Rewriting an AngularJS application in HTML5 mode?
  3. IIS_IUSRS and IUSR permissions in IIS8
  4. Publish to IIS, setting Environment Variable
  5. How to configure static content cache per folder and extension in IIS7?
  6. Using Custom Domains With IIS Express
  7. How can I create a self-signed cert for localhost?
  8. Port 80 is being used by SYSTEM (PID 4), what is that?
  9. IIS: Where can I find the IIS logs?
  10. Is Chrome ignoring Cache-Control: max-age?
  11. Classic ASP on IIS7: refusing to send errors to browser on 500 Internal Server Error
  12. How to redirect a URL path in IIS?
  13. .htaccess or .htpasswd equivalent on IIS?
  14. How do I enable upload of large files in classic ASP on IIS 7?
  15. How Can I have IIS properly serve .webmanifest files on my web site?
  16. Check ssl protocol, cipher & other properties in an asp.net mvc 4 application
  17. How do I configure a .net core API to work in IIS?
  18. How to guide for getting a classic asp application working under IIS 7.0
  19. How to disable HTTP/2 on IIS 10
  20. How do I create a user account for basic authentication?
  21. Recreate the default website in IIS
  22. How can I indicate to users that my IIS website is undergoing maintenance?
  23. Allow loading of JSON files in Visual Studio Express 2013 for Web
  24. C_GetSlotList Failing when called from IIS but not from IIS express
  25. IIS URL Rewrite ASP
  26. Configuration required to get Sencha ExtJS TreeGrid example working
  27. .NET Core app unable to start in IIS due to ErrorCode = ‘0x80004005 : 80008083
  28. Use SVG in Windows Azure Websites
  29. Asp.Net core MVC application Windows Authentication in IIS
  30. Stop IIS 7.5 Application Pool Recycling

Leave a Comment