In general, it's not possible to do this.
The protocol for requesting and validating a certificate is defined by the SSL protocol; it works as follows:
- When you create an SSL service that is going to use client certificates to authenticate users, you need to configure the server (i.e. Stingray) with the list of certificate authorities it can trust. When the server requests that the client provides a certificate, it sends an SSL ‘CertificateRequest’ message to the client that contains a list of the trusted certificate authorities.
- The client software (e.g. web browser) will prompt the end user to select a certificate based on the list of certificate authorities. How it does this depends on the client software. If the user does not have a suitable certificate, the client software should display some sort of error message.
- If the client supplies the server with an invalid certificate (e.g. one that fails to meet CRL checks, or has expired), then the server's SSL stack should close the connection after sending an SSL Close message. This is the standard behaviour for an SSL server application. The client software should display some sort of error to the end user, but this is not controllable by the server.
I don’t believe there is an opportunity to send a redirect to a helpful error page when the handshake fails.
One option that may work for you:
- User clicks on link that requires client certificate: /login.asp
- Stingray redirects user to web page that presents the instructions on how to select a valid certificate, based on the client software;
- This web page, using JavaScript or as a result of a 301 redirect response, attempts to load the /login.asp page
The web browser will display the page of instructions and commence the process of asking the user for his certificate.
Hope that this helps
