Hi!

After trying to configure my IIS 5.0 (running on Windows 2000 server)
to send the entire certificate hierarchy/chain to the client when the
https communication is started, I concluded that this is impossible.

Can anyone confirm this? Or is it possible and I just spent the last
six days with looking at the wrong places?!

Is it possible with IIS 6?

MANY thanx for any hints,

I don't know, but I've queried the folks must familiar with SSL on IIS and
I'll send what I get.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
Hi!

After trying to configure my IIS 5.0 (running on Windows 2000 server)
to send the entire certificate hierarchy/chain to the client when the
https communication is started, I concluded that this is impossible.

Can anyone confirm this? Or is it possible and I just spent the last
six days with looking at the wrong places?!

Is it possible with IIS 6?

MANY thanx for any hints,
++ralph

I'm also having this problem. How can you send the certificate hierarchy
from IIS? How can it be done?



*** Sent via Developersdex http://www.developersdex.com ***

The SSL team indicated that IIS sends the certificate path along with the
server certificate. However, the administrator needs to make sure the
certificates on the server are all up to date such that the client won't ask
questions when your server sends an expired/bad certificate when it sends
the certificate path.

So, the job here is for you, as the web server admin, to make sure and
update all certificates that your server is sending.

For example, in the expired Verisign certificate scenario, you need to
download and install the updated Verisign intermediate certificate on the
web server.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
I'm also having this problem. How can you send the certificate hierarchy
from IIS? How can it be done?



*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

If by certificate path you mean the chain of certificates I don't think that is correct. I have also spent quite a bit of time trying to get this to work. My client certificate is signed by an intermediate CA. I have verfied that IIS 5 does not download the intermediate CA cert during the CertificateRequest portion of the SSL handshake when the list of trusted CAs are sent. It only downloads the root CA cert (among others). Can you configure things such that an intermediate CA cert is downloaded

We decided to have our SSL server send only trusted root CA names when
asking for client authentication. The SSL protocol permits servers to send
the names of the intermediate CAs as well, but we decided not to do this to
keep the size of our SSL messages small.
If you want to have intermedite certificates on the client side you have to
install them manually.

Thanks,
Ulad

[quoted text, click to view]
that is correct. I have also spent quite a bit of time trying to get this to
work. My client certificate is signed by an intermediate CA. I have verfied
that IIS 5 does not download the intermediate CA cert during the
CertificateRequest portion of the SSL handshake when the list of trusted CAs
are sent. It only downloads the root CA cert (among others). Can you
configure things such that an intermediate CA cert is downloaded?
[quoted text, click to view]