How to set IIS to filter for email certificate onlly

When I set IIS to accept certificates, it prompts for and will accept an Identify cert or an email cert.  How can I set it to only prompt for and accept Email certificates?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
Basically when doing client authentication the server is looking for the key usage for that specific function - if there happens to be additional key usages then so be it.

Depending on the specifics, you might also look into Enable client certificate mapping - depending on how these two different types of certificates are issued, then this could be a possibility.  For example, if retail people get ID certs, whereas HQ people get email certs - you could use this.  If this doesn't work for you, then read on.

Another way would be to separate the CA's that issue each type and only trust one of them in the Client Trust List (CTL).  This is a sticky one as you can only add self-signed certificates to this - i.e. root CA certificates.  You cannot add just a subordinate CA to this list.  In otherwords, this would require setting up another root CA (and issuing subordinate, presumably) in order so you could issue certs of one type from PKI#1 and the other type from PKI#2, then pointing the CTL to only one of them.  Personally I wish they would change this to include subordinates to cut down on the root requirement and also make it more granular so you aren't trusting more than you have to, but that's the way it is.

If you happen to get each type from different CA's already (e.g. one is internal and the other is commercial) then you could just define the appropriate root in the CTL without the extra mess.

Beyond that would require server side scripting to open up the cert, check specific things, and decide from there - I don't know of any scripts that do this, but maybe there's something out there.

Here is a nice link for a lot of client side authentication stuff - a bit old, but still useful:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.