IIS 8 through IIS 10 don’t respect CTL list for client side certificate filtering

So lets say you’re moving from Windows 2008 R2 IIS 7.5 to something newer and you have Certificate Trust List (CTL) you use for CAC authentication.  You’re used to that CTL being passed down to the client to then filter the user certificates on their system to only be the ones available that you want them to be.  You migrate to Windows 2019 with IIS 10 and instead of that nice filtered list you instead get ALL certificates on a user’s system instead.

What it should look like;

What it now looks like;

 

I finally stumbled across the solution in that Microsoft changed the default behavior to not send the CTL list down to the client meaning to continue to have this functionality you have to alter the registry to enable it.  Once the change below and iisreset is run the CTL list will begin being sent to the client to filter their selections.

https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Client-Certificate-Authentication-Part-1/ba-p/324623

The behavior to send the Trusted Issuer List by default is off: Default value of the SendTrustedIssuerList registry key is now 0 (off by default) instead of 1.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\

DWORD SendTrustedIssuerList = 1

Comments or questions?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.