How can I request a client certificate only from a particular CA
Question
Is it possible to request client certificates issued only by a particular CA (Certificate Authority)? The site is using IIS 7.5, and we have client certificates assigned to users following this article - http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/. CTL does not seem to have any effect on this because the server will always advertise all acceptable CA names, regardless if they are in the CTL or not. http://blogs.msdn.com/b/saurabh_singh/archive/2007/12/07/certificate-trust-list-not-being-honored-by-iis-5-0-6-0-7-0.aspx
Solution
- Run MMC as an Administrator on the server.
- Add the Certificates Add-in, selecting the Computer account.
- In each of the sub-folders, for each of the certificates you DO NOT want to be included:
- If the Intended Purpose has or contains Client Authentication:
- Right-click on the certificate
- Make sure "Enable only the following purposes" is selected
- Uncheck "Client Authentication"
- Click OK.
- If the Intended Purpose has or contains Client Authentication:
I had to do this for over 400 certificates on two servers... twice (because GPOs overwrote my settings).
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow