Thursday, February 23, 2012 9:40 PMWe have an application hosted external to our company whereby certificate based authentication is required - we access the application through Internet Explorer. The Apache server hosting the application does not directly trust our internal PKI, however, there is a cross-certification trust in place such that our certificates are trusted through the X-cert. When we attempt to authenticate to the application from a domain joined computer we can see when inspecting the SSL handshake (using WireShark debugging) that both our EE certificate and our issuing CA certificate are posted to the application - the authentication fails because the application server isn't "clever enough" to ignore the issuing CA certificate and build it's own chain via the X-cert.
However, if we access the application from a non-domain joined computer (where we don't have our own CA certificate chain installed) we then see that only the EE certificate is posted in the SSL handshake and the application server correctly builds a trust chain via the X-cert.
We would like to be able to control Internet Explorer such that only the EE certificate is posted in the authentication transaction - but I can't see any obvious "visible" settings to do this. Does anyone know of any "lower" Internet Explorer settings which may allow us to control the "certificate selection" behaviour? Another avenue might be for us to look at "tuning" the application server , but we'd very much prefer not to go down that avenue.
Kind regards, Dave
Monday, February 27, 2012 8:15 AMThere is no native setting to do this. Maybe you need to develop an IE plugin.
Monday, February 27, 2012 8:40 AMThanks - I'd guessed as much but just thought it worth asking the question.
Monday, February 27, 2012 5:53 PM
The server can actually enforce a restriction on what certificates the client should consider. Apache mod_ssl can be configured using SSLCADNRequestFile or SSLCADNRequestPath directive to support that.
- Marked As Answer by Chip Eater Wednesday, February 29, 2012 7:42 PM