Limit the List of Certification Authorities allowed for Client Authentication

This seem to be something a lot of people are interested in.



On Windows Server 2003 and Windows 2000 (since the MS04-011 update) you can't use Certificate Trust Lists (CTL's) for this target.



Previoously in IIS5 using the CTL wizard you could ADD certificates to the list of allowed Certification Authorities (CA's) on top of what is already in the Local Computer Certificates store. In Windows Server 2003 / IS6 you can only limit the trust of the site to the sites in the CTL.

Example. If the root store contains CA1 and CA2, you can configure Website 1 with no IIS CTL and both CA1 and CA2 are trusted. If for WebSite 2 you create IIS CTL and add CA1, then only CA1 will be trusted for Site 2. 

Note: Using CTL's you cannot limit the list of CA's sent back to the client during the TLS handshake. I.e. you can't use CTL's to limit the list of certificates that Internet Explorer is showing. 


What you can do though is limit the use of the CA's that are installed. Here is what you need to do.


  1. Add the "Certificates" plugin to the mmc of your choice.
  2. Point it to "Local Computer"
  3. Open up the resulting tree in the left pane and navigate to the "Trusted Root Certification Authorities\Certificates" folder.
  4. Check in the right hand pane which of the certificates show "Client Authentication" in the "Intended Purposes" column.
  5. For each of (those certificates except those you want to accept) do:
  6. {
    1. doubleclick on the certificate
    2. Go to the "Details" pane.
    3. Click on the "Edit Properties..." button.
    4. uncheck the "Client Authentication" box (You might have to click on the "Enable only the following purposes" first)
    5. Click "OK".
    6. Click "OK".
  7. }