Step-by-Step Guide to Public Key-Based Client Authentication in Internet Explorer

This step-by-step guide explains basic features related to Public Key Infrastructure (PKI) in Microsoft® Internet Explorer version 5 and above. In particular, it describes how to use public key certificates to perform client authentication over a secure HTTP connection, using one of the following protocols: Transport Layer Security (TLS 1.0), Secure Sockets Layer (SSLv2 and SSLv3), or Private Communications Technology (PCT 1.0).

Introduction

Secure HTTPs are used to provide strong authentication and confidentiality when using HTTP to gain access to content on the World Wide Web. The most common use of secure HTTP is to provide an encrypted connection to an authenticated Web server. When clients wish to establish a secure HTTP connection, typically triggered by browsing to a URL beginning with https://, the client and server jointly negotiate a security protocol to use and then exchange authenticating information.

Microsoft® Internet Explorer version 5 and above supports common secure communication protocols for HTTP transactions, such as the following:

• Transport Layer Security (TLS version 1.0)

• Secure Sockets Layer (SSL versions 2 and 3)

• Private Communications Technology (PCT version 1.0).

Each of these protocols provides both encryption services (for confidentiality of exchanged data) and authentication services (for the mutual identification between clients and servers). This step-by-step guide describes how to use public key certificates to perform client authentication as part of one of these protocols.

Requirements

You must be running the Windows 2000 operating system. The most current information about hardware requirements and compatibility for servers, clients, and peripherals is available at the Windows 2000 Product Compatibility site (https://www.microsoft.com/windows2000/server/howtobuy/upgrading/compat/default.asp).

Client Authentication in Internet Explorer

To set up client authentication:

1. Obtain a client authentication certificate from a certificate server.

   For details about enrolling a certificate, see the Step-by-Step Guide to End-User Certificate Management.

2. Using Microsoft Internet Explorer, navigate to a URL that uses client authentication.

3. When prompted by the Client Authentication dialog box, select the certificate you want to use, and click OK.

   To view the contents of individual certificates, select the certificate, and then click the View Certificate button.

   Note: If you are using a smart card for client authentication, the Select Card dialog box appears if the requested card is not already inserted into a reader. Insert the card, and then click OK. When prompted for your PIN, type it, and then click OK.

4. The secure page is displayed.

Known Errors

Internet Explorer remembers which certificate you selected for client authentication to a particular Web site, so that you do not have to select your client authentication certificate again if you revisit the Web site during the same session. In Microsoft Windows 2000, Internet Explorer credentials are remembered even if they failed to authenticate to the remote Web server. Thus, if you select an invalid certificate, you need to close all open Internet Explorer windows and open a new browser window. You are prompted again to select a certificate for client authentication, and you can select a valid one.