Client SSL authentication causing 403.7 error from IIS

I'm trying to connect to a web service (not under my control) configured to authenticate users via SSL client certs. I have a 开发者_JAVA技巧valid certificate in PKCS12 format containing the client certificate and associated private key. The certificate is issued by a CA accepted by the web service provider.

Installing the certificate and trying to access the restricted area in various browsers gives the following results:

• IE6 - Works fine and I can retrieve the WSDL

• IE7 - Prompts for the certificate but then fails with a 403.7 from the server

• Firefox3 - Set to ask, but no prompt and fails with a 403.7

• Safari 4 - Certificate is installed in the Keychain, but no prompt and a 403.7

Also, trying to access the web service programmatically (Java) fails with the same 403.7 error code.

Strange that this works in IE6 but in no other browser, what am I missing? Do I need to include the full CA certificate chain in the PKCS12 file?

Any help would be greatly appreciated.

This really works! If you're confused by the -inkey and -in options, they are the private key and certificate from the p12 file. You can convert the p12 file to pem format with:

openssl pkcs12 -in file.p12 -clcerts -out file.pem

and use the above command with "-in file.pem" only.

Also, you can import the root CA cert into your trusted certs store, here is the description how to do that: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl, and then you don't have to manually copy the certificates. After installing the cert use the command above without the "-CAfile chain.pem".

Ok, got this working. The answer is yes, I did need to include all intermediary CA certs in the PKCS12 file. I concatenated all the intermediary CA certs plus the Root CA cert in the file "chain.pem" then executed the following command:

openssl pkcs12 -export -chain -CAfile chain.pem -in cert.pem -inkey key.pem -out cert.p12