Thursday, April 1, 2010

SSL Client Certificates

Here's the situation:

We have two servers in a secure environment where everything is protected by SSL with both server and client certificates. This means that clients need to present X509 certificates before the server will let them in.

The first server performs GIS functions, including some web services used by the second server. The second server is an intranet portal built with SharePoint. The server includes web parts that use the web services proved by the GIS server.

The rub happens when the web part tries to call a web service on the GIS server. We figured the web part could simply forward the client certificate it received, but we were wrong.

For what I presume are security concerns, the HTTP request won't use a certificate unless the private key used to create the certificate is available in its key store. In our case, the private key is on a key card back on the client's desktop, not on the SharePoint server.

I think the security concern is what's called a "man in the middle" attack. In our case, the SharePoint server is in the middle. If Windows permitted certificate forwarding, then a malicious programmer could create a "man in the middle" attack.

http://en.wikipedia.org/wiki/Man-in-the-middle_attack