|IIS accepting self-signed client certificates||Tuesday 2nd June 2015|
SSL/TLS works (optionally) two ways. Normally a server will present a certificate when you go to a HTTPS web-site. Normally this will be signed by a certificate-authority, which hopefully your client browser already trusts. If it doesn't, you can dismiss the error or manually trust the certificate and/or certificate authority that did sign it.|
The optional part is the client authentication; where once the server certificate has been accepted by the client (browser) then the client presents their own certificate for authentication.
This is also setup to work through certificate authority signing - but frankly, I don't care if some random company can authenticate who you are - I'm more interested in authorisation - which means I need to trust specific certificates and not everything a CA signs. And, really, I don't care for a CA at all, they don't provide me with anything.
A self-signed client-certificate is sufficient for authenticating and authorising a client. Just things like IIS are geared towards PKI where a CA is involved. It's relatively easy to trust individual self-signed certificates in IIS 8; it seems you just need to ensure you have Client Certificates turned on for your site/directory and then add the client's public certificate into the Local Computer's Trusted People certificate store.
You can optionally go further by setting one-to-one or many-to-one mapping between the certificates an Active Directory user-account, which you can use to do authentication in IIS.
Unfortunately I haven't seen a way of getting IIS6 to accept self-signed certificates at all, so I have been unable to get to the mapping part. Why IIS6? It seems some businesses are sluggish at upgrading their platforms.