Greetings,

Problem Summary:
We are unable to configure IIS to allow an intermediate Certificate Authority certificate to be used for client authentication.

Background:
We are setting up a secure web site. We want to enable access to a portion of the web site to holders of a particular client certificate. The client certificate is signed by an intermediate CA. The intermediate CA certificate is signed by a root CA. Both certificates are loaded into certificate stores. The root CA certificate is loaded into the Trusted Root Certification Authorities store. The intermediate CA certificate is loaded into the Intermediate Root Certification Authorities store. I have also tried loading the intermediate CA certificate into the Trusted Root store.

Client Authentication Problem:
During the SSL handshake the IIS server issues a CertificateRequest to the client. Contained in the CertificateRequest is a list of CA’s that the server is willing to accept. The list does not contain the intermediate CA. Since the server does not indicate a willingness to accept certificates signed by the intermediate CA the client will not offer its certificate. How can we configure IIS to include the intermediate CA certificate in the list of trusted CA’s that is sent in the CertificateRequest?

Software Versions:
Windows 2000 Professional – SP4
IIS 5.0

IIS sends only root CA certificates.
To make your client to pick up the appropriate certificate it should have
the whole cert chain on its side.
What is your client software?

Thanks,
Ulad

[quoted text, click to view]
of the web site to holders of a particular client certificate. The client
certificate is signed by an intermediate CA. The intermediate CA certificate
is signed by a root CA. Both certificates are loaded into certificate
stores. The root CA certificate is loaded into the Trusted Root
Certification Authorities store. The intermediate CA certificate is loaded
into the Intermediate Root Certification Authorities store. I have also
tried loading the intermediate CA certificate into the Trusted Root store.
[quoted text, click to view]
client. Contained in the CertificateRequest is a list of CA's that the
server is willing to accept. The list does not contain the intermediate CA.
Since the server does not indicate a willingness to accept certificates
signed by the intermediate CA the client will not offer its certificate. How
can we configure IIS to include the intermediate CA certificate in the list
of trusted CA's that is sent in the CertificateRequest?
[quoted text, click to view]