Hi Miguel, First, let me thank you for your answer. It helped me understanding a bit more about all this. My problem existed before preparation was run, as you accurately guessed. Finally i understood what was happening... (I attach secureSite code (built with MS VS2008) to future Use) So let me juice it a little bit for everyone who might need it (Note: Take a deep breath before going through this) 0 - Build a simple OS application, and on page properties HTTP security select SSL with Client Certificates or use the vs 2008 code attached and map it in IIS 1 - If you don't have a Trusted authority at your service you can create one. 2 - Install Microsoft Certificate Services (Control panel -> Add or remove programs -> Add/Remove Windows Components) and set your CA (https://technet.microsoft.com/en-us/library/cc756120(WS.10).aspx) 3 - Follow the steps below filtered from tutorial https://support.microsoft.com/kb/315588 To Create a Server-Side Certificate Request 1.On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager. 2.Expand the node for your server, and then click Default Web Site. 3.On the Action menu, click Properties. 4.On the Directory Security tab, click Server Certificate. Follow these steps in the wizard: 5.Click Next on the first page of the wizard. 6.On the Server Certificate page, click Create a new certificate, and then click Next. 7.On the Delayed or Immediate Request page, click Prepare the request now, but send it later, and then click Next. 8.On the Name and Security Settings page, accept the default settings, and then click Next. 9.On the Organization Information page, type the name of your client organization, type whatever you want for the organizational unit, and then click Next. 10.On the Your Site's Common Name page, type localhost, and then click Next. 11.On the Geographical Information page, type your country, region, and city details, and then click Next. 12.On the Certificate Request File Name page, accept the default file name (usually c:\certreq.txt), and then click Next. 13.On the Request File Summary page, confirm that all of the details are correct, and then click Next. 14.Click Finish to close the wizard. 15.Open the certificate file that is generated, and then copy the entire contents of the certificate file to the clipboard. 16. 17. 18.To Submit a Server-Side Certificate Request 19.Start Internet Explorer, and then browse to the following page: 20.https://localhost/CertSrv 21.NOTE: The Microsoft Certificate Services must be installed. 22.Follow these steps in the wizard: 23.Click Request a Certificate, and then click Next. 24.On the Choose Request Type page, click Advanced request, and then click Next. 25.On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next. 26.On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) box, and then press the CTRL+V key combination to paste the certificate request that you copied to the clipboard earlier. Click Submit. 27.Close Internet Explorer. 28. 29. 30.To Issue a Server-Side Certificate 31.On the Start menu, point to Programs, point to Administrative Tools, and then click Certificate Authority. 32.Expand the node for your certificate authority, and then select Pending Requests. 33.Select the certificate request that you just submitted. On the Action menu, point to All Tasks, and then click Issue. 34.Confirm that the certificate appears in the Issued Certificates folder, and then double-click the certificate to view it. 35.On the Details tab, click Copy to File. Save the certificate as a Base-64 encoded X.509 certificate to C:\Servercert.cer. 36.Close the Properties dialog box for the certificate. 37.Close the Certificate Authority tool. 38. 39. 40.To Install a Server-Side Certificate 41.On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager. 42.Expand the node for your server, and then click Default Web Site. 43.On the Action menu, click Properties. 44.On the Directory Security tab, click Server Certificate. Follow these steps in the wizard: 45.Click Next on the first page of the wizard. 46.Click Process the Pending Request to install the certificate, and then click Next. 47.Browse to the C:\Servercert.cer certificate file that you saved previously. Click Next twice, then click Finish. 48.Click OK to close the Properties dialog box. 49. 50. 51.To Configure SecureSite Site for SSL and Client-Side Certificates 52.In Internet Services Manager, select the SecureSite subweb, and view its properties. 53.Follow these steps in the wizard: 54.On the Directory Security tab, click Edit in the Secure communications section. 55.Select the Require secure channel (SSL) check box. This ensures that communications to this subweb are encrypted. 56.Select the Require client certificates check box. This ensures that the site can only be viewed by users who have a client-side certificate installed. 57.Leave the check of mapping certificates empty, and hit ok. For use with portuguese citizen card : Download Intermediate Certificates from https://pki.cartaodecidadao.pt/ At the moment i can only find the certificates : Cartão de Cidadão 001 EC de Autenticação de Cartão de Cidadão 001 EC de Autenticação de Cartão de Cidadão 002 EC de Autenticação de Cartão de Cidadão 003 But there is one missing : ECRaizEstado wich is nothing but The root certificate (sometimes :P)! (i will forward this to them after submiting this post) So my problem was ignorance : If you open your citizen card application, and hit the tab "Certificados" you will see as the root GTE Cybertrust Global Root... Don't let yourself fool by what you see : GTE is Root, but ECRaizEstado also is. The certificate you should download is not the one ECRaizEstado you see now, but the ECRaizEstado you see after opening any of the descendants of ECRaizEstado This is because you will need to install the ECRaizEstado which is the root or believe me, it won't work! Steps for this : 1. open your citizen card application 2. go to tab "Certificados" 3. double click "Cartão de Cidadão 001" 4. go to tab "Certification Path" 5. double click "ECRaizEstado" 6. go to tab "Details" 7. click the button "Copy to File" 8.Hit next and choose Base64 encryption and hit next 9. choose a name for your certificate file : ECRaizEstado.cer and save to a location you can later get it from 10. open the certificate inside your server and click button install certificate (and just hit next until finish) You can try and follow the steps from the https://www.cartaodecidadao.pt technical manual, but in my opinion there is some stuff related to certificate import that isn't very accurate. (https://www.cartaodecidadao.pt/images/stories/Manual%20Autenticacao%20com%20Cartao%20de%20Cidadao_%20v1.7.pdf) So now you need to install the other certificates you previously downloaded : Click start -> run and write down : mmc , and hit enter. You now need to add a snap in : 1. Hit File : Add/Remove Snap In 2. Click Add 3. Choose Certificates 4. Click Add 5. Check Computer account and hit next 6. choose Local Computer and hit finish 7. click ok Right Click on the Intermediate Certification Authorities folder and click import. Choose your certificates one by one ( Cartão de Cidadão 001 EC de Autenticação de Cartão de Cidadão 001 EC de Autenticação de Cartão de Cidadão 002 EC de Autenticação de Cartão de Cidadão 003 ) and hit next, repeating this step for each one of the certificates mentioned above. Check if ECRaizEstado is inside the folder "Trusted Root Certification Authorities" and if it is not, repeat the above procedure to import it to this folder. Well, now just try it out. Open a client browser, enter the url of your server and check if it works : https://yourserver/SecureSite. Or you can just try the example oml i also attach of SmartCardDemo. (for that in IIS you should alter smartcarddemo directory security properties accordingly) https://yourserver/smartcarddemo Best Regards, and happy certifications ;-) Diogo C S Cordeiro