1

We configured the IIS server to require client's certificate. While we have made it work, I noticed that the IIS server is sending an Cert Authorities in the CertificationRequest. Is there a configuration in IIS to enable that?

Here is the hand shake messages:

*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Cert Authorities:
<Empty>
*** ServerHelloDone

The problem is if the server does not specify which CA is acceptable. The client assume all CAs are acceptable. We have multiple keys in the keystore, so the client will choose the 'first' one, where there is no definition of 'first'.

4

1 回答 1

1

此行为由注册表项控制:“SendTrustedIssuerList”。自 Windows Server 2012 起,默认行为已默认更改为“关闭”。此条目需要设置为 1。

来源:https ://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786429(v=ws.11)?redirectedfrom=MSDN

于 2021-02-23T00:40:05.483 回答