Client Certificate Authentication Behaviour Control in Internet Explorer


  • We have an application hosted external to our company whereby certificate based authentication is required - we access the application through Internet Explorer.  The Apache server hosting the application does not directly trust our internal PKI, however, there is a cross-certification trust in place such that our certificates are trusted through the X-cert.  When we attempt to authenticate to the application from a domain joined computer we can see when inspecting the SSL handshake (using WireShark debugging) that both our EE certificate and our issuing CA certificate are posted to the application - the authentication fails because the application server isn't "clever enough" to ignore the issuing CA certificate and build it's own chain via the X-cert.

    However, if we access the application from a non-domain joined computer (where we don't have our own CA certificate chain installed) we then see that only the EE certificate is posted in the SSL handshake and the application server correctly builds a trust chain via the X-cert.

    We would like to be able to control Internet Explorer such that only the EE certificate is posted in the authentication transaction - but I can't see any obvious "visible" settings to do this.  Does anyone know of any "lower" Internet Explorer settings which may allow us to control the "certificate selection" behaviour?    Another avenue might be for us to look at "tuning" the application server , but we'd very much prefer not to go down that avenue.

    Kind regards, Dave
    Thursday, February 23, 2012 9:40 PM


All replies