![]() ![]() we have also set this registry key (as described in the above article) to enable sending the 'trusted issuers list' to the browser: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\SendTrustedIssuers = 1 (DWORD) That certificate is also present in the 'Trusted Root Certification Authorities' store, so that it is trusted on the local machine. To achieve this we have placed the Origo root certificate in the 'Client Authentication Issuers' store, as described in this article: We would like the list to contain only the single root certificate we choose (this happens to be the Origo Root certificate but I don't believe that is relevant to the problem). That list currently contains all of the certificates in the 'Trusted Root Certification Authorities' store (with an certificate 'Intended Purpose' compatible with client auth). When examining the TLS connection traffic to that site (using wireshark) we see a 'Client Request (13)' message that conveys the 'trusted issuers' list to the browser. We have a web site running on IIS, on Windows Server 2016 server (Server core).Ĭlient certificate authentication is enabled for the website in IIS. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |