On Thu, Sep 04, 2003, Ohaya wrote: > One final question... This one may be specific to the behavior of IE, > but I'm not sure: > > 1) I have one server certificate installed in IIS, which I created when > I did the Certificate Server installation. > > 2) In my IE browser, I have two client certificates that I generated and > installed using my Certificate Server, i.e., these 2 client certs have > the same root as the root for the server cert in IIS. > > 3) In my IE browser, I also have a 3rd client certificate, which I got > as a free trial from: > > http://www.globalsign.net/digital_certificate/personalsign/index.cfm > > 4) All 3 of these client certificates are displayed in IE when I do > Tools->Internet Options->Content->Certificates > > Now the question: When I point my IE browser to my IIS with the > "https://"; URL, IE pops up a window asking me which client cert I want > to use. BUT, this window only displays the 2 client certs that I > created using Certificate Server. The GlobalSign cert isn't listed! > > The reason that I was trying this last "experiment" was I was wondering > what would happen if I tried to connect to a server that had a server > cert issued by one CA (my Certificate Server), using IE and a client > cert from a different CA (GlobalSign)? > > Does anyone know why IE doesn't show/list the GlobalSign client cert? > >From what I've read in the SSL protocol doc, it doesn't appear that the > server sends the browser a list of "valid" CAs, so how or why does IE > "know" not to list the GlobalSign client cert? >
It does send the client a list of CAs it considers acceptable when it performs client authentication. You can use the OpenSSL s_client tool to see the list. What's probably happening is that the GlobalSign CA isn't included in the list. There are ways to add additional CAs to IIS which it will send when it authenticates a client. I don't have the precise details but the should be in the archives to this group somewhere... Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
