iissslctl

How can I request a client certificate only from a particular CA


Is it possible to request client certificates issued only by a particular CA (Certificate Authority)? The site is using IIS 7.5, and we have client certificates assigned to users following this article - http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/. CTL does not seem to have any effect on this because the server will always advertise all acceptable CA names, regardless if they are in the CTL or not. http://blogs.msdn.com/b/saurabh_singh/archive/2007/12/07/certificate-trust-list-not-being-honored-by-iis-5-0-6-0-7-0.aspx


Solution

  • I had to do this for over 400 certificates on two servers... twice (because GPOs overwrote my settings).