I remember wrestling with this problem on IIS5 and succeeding. I'm stuck
setting up an IIS4 server to handle certificate based authentication with a
company-internal certificate authority. I'm running into the symptoms
described in KB 194788, where IE6 won't display any of the client's usable
certificates and keys even though they're visible in the Content tab's
Certificates window under Personal.

The CA cert and other certs are set up using OpenSSL[1] instead of
Certificate Server, which worked when I dealt with IIS5 on this. I can make
..crt and .p12 files for the clients. The cert database itself isn't on-line
and I pass out .crt and .p12 files by hand.

Call the "pan-am.ca certificate authority" pan-am.ca.crt for a moment. I've
installed pan-am.ca.crt on the IIS4 computer using IE6, using the
instructions in the SP6a readme:

Start Internet Explorer 5. (!!! I have IE6 - can't get IE5 anymore!)
On the Tools menu, click Internet Options.
On the Content tab, click Certificates.
Click Import to start the Certificate Manager Import Wizard and follow the
instructions that appear.

pan-am.ca now appears in the trusted root authorities list.

Other KB articles tell me I have to add this cert to the "local computer"
physical store, too. if I do this, pan-am.ca appears twice in the list.

One server reboot later, and I still get the above symptoms.

The client computer I'm testing from also has IE6, but happens to run Win2K.
I made up a key pair for myself and I called it "gordonfecyk.p12" for now.
It is signed with the same CA cert as the server's cert. This cert appears
in "personal" when viewed from the Content / Certificates window but not
when I'm prompted for a certificate to authenticate. The pan-am.ca cert is
in the client computer's trusted root store as well.

A couple of things might make this unusual compared to the cert server
setup:

* I'm using OpenSSL to generate all keys, certs and p12s. This saves the
files as UNIX text instead of MS-DOS text, but IIS and IE seem to take that
OK. It also adds a lot of garbage before the "begin certificate" part, but
I can strip that out and it works.
* The keys default to being RSA 2048 bit keys. Apparently, I can have IIS4
use a 2048 bit key for itself and this works for SSL normally. I'm going to
rebuild everything using 1024 bit keys to test, but I'd rather not have to
use such small keys.

[1] One of these days I wish someone would compile a truly native OpenSSL
for Win32, that writes CRLF instead of LF only. I tried once but LCC-WIN32
doesn't have everything it needs.

--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>

I think it's not a IIS4 problem anymore. I tried another client (cURL) that
supports client certificates. That seems to work correctly.

Only now I have a minor problem with the IIS4 log file:

#Fields: time c-ip cs-username cs-method cs-uri-stem sc-status
sc-win32-status cs(User-Agent)
03:19:30 192.168.1.103 °¬ GET /soopersekret/default.txt 200 0
curl/7.9.5-pre4+(win32)+libcurl+7.9.5-pre4+(OpenSSL+0.9.6b)
03:32:25 192.168.1.103
GET /soopersekret/default.txt 200 0
curl/7.9.5-pre4+(win32)+libcurl+7.9.5-pre4+(OpenSSL+0.9.6b)

On IIS5 it would record the computer and username after the IP address. On
IIS4 it records garbage.

--
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key? See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>