Hi everyone,
we are trying to support authentication with italian electronic identity card (CIE) as we already do with italian CNS (Carta Nazionale dei Servizi). Both are client certificates stored on secure device and issued by some national trusted and authorized CA.
It happens that all trusted issuer CA for CNS are root CA (self signed), while issuing CA for CIE is an intemediate CA. If we put together those CA in "Client Authentication Issuers" store, only the intermediate CA is sent to client browser during SSL handshake. If we remove that certificate, all others root certificates are sent.
It's said in Microsoft document Schannel SSP Technical Overview that:
" If the Trusted Root Certification Authorities store contains a mix of root (self-signed) and certification authority (CA) issuer certificates, only the CA issuer certificates will be sent to the server by default."
but it seems to happen also for certifcates in "Client Authentication Issuers store".
We tryed to put ClientAuthTrustMode=2, but nothing changed.
My question is: is there a way to make SCHANNEL send all CA certs in Client Authentication Issuers store, both root and not root ?
Thanks a lot for any help.
Best regards
Federico