We have IIS10 running on a server that has had too many certificates added to the trusted root authorities store. There is a group policy in place that keeps replacing these certificates should any be deleted. In this case, IIS is apparently unable to validate client certificates, and an otherwise valid certificate is rejected.
As I understand, IIS 10 can be configured to use a Certificate Trust List instead of relying on the Trusted Root Certificate Authorities list. I have created a self-signed certificate to sign the SSL, and I have followed this: https://www.pkisolutions.com/how-to-create-certificate-trust-list-ctl-using-powershell/ to the point where I have generated the CTL, and can view the UI, but I cannot figure out if it is possible to export/import this CTL, how to do so, or if this is even feasible.
How do I export a CTL so that I can import it into my IIS server? Am I even on the right track?
The solution was to copy the trusted intermediate CAs into the Windows "Client Authentication Issuers" store, then use netsh to set the CTL store for the site to ClientAuthIssuer:
Example:
netsh http update sslcert ipport=0.0.0.0:443 appid={4dc3e181-e14b-4a21-b022-...} certhash=a95...c68 sslctlstorename=ClientAuthIssuer
To get the appid and certhash, use:
netsh http show sslcert
For further reference: https://social.msdn.microsoft.com/Forums/en-US/54b8da9b-568d-4c5b-8f94-651c3a6de29c/certificate-trust-list-on-iis-85