How to set IIS to filter for email certificate onlly

Posted on 2008-11-16
Last Modified: 2012-05-05
When I set IIS to accept certificates, it prompts for and will accept an Identify cert or an email cert.  How can I set it to only prompt for and accept Email certificates?
Question by:mbart
    1 Comment
    LVL 31

    Accepted Solution

    Basically when doing client authentication the server is looking for the key usage for that specific function - if there happens to be additional key usages then so be it.

    Depending on the specifics, you might also look into Enable client certificate mapping - depending on how these two different types of certificates are issued, then this could be a possibility.  For example, if retail people get ID certs, whereas HQ people get email certs - you could use this.  If this doesn't work for you, then read on.

    Another way would be to separate the CA's that issue each type and only trust one of them in the Client Trust List (CTL).  This is a sticky one as you can only add self-signed certificates to this - i.e. root CA certificates.  You cannot add just a subordinate CA to this list.  In otherwords, this would require setting up another root CA (and issuing subordinate, presumably) in order so you could issue certs of one type from PKI#1 and the other type from PKI#2, then pointing the CTL to only one of them.  Personally I wish they would change this to include subordinates to cut down on the root requirement and also make it more granular so you aren't trusting more than you have to, but that's the way it is.

    If you happen to get each type from different CA's already (e.g. one is internal and the other is commercial) then you could just define the appropriate root in the CTL without the extra mess.

    Beyond that would require server side scripting to open up the cert, check specific things, and decide from there - I don't know of any scripts that do this, but maybe there's something out there.

    Here is a nice link for a lot of client side authentication stuff - a bit old, but still useful:

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    Suggested Solutions

    Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now