We've been running CTL (Certificate Trust Lists) to do CAC access to websites for a while under WIndows 2008 R2 and IIS 7.5 but we've begun our migration to Windows Server 2019 with IIS 10. However after enabling the CTL using the netsh http add command like we've used in the past CAC works but the CTL list does not seem to be being implemented. When we load one of the development websites with the CTL enabled on it instead of a filtered list of certificates being shown to the user ALL certificates a user has is in the list of certificate to choose from. Revocation is disabled below just for development testing. SSL Settings in IIS are also set to Require SSL and Require client certificates.
Command run
netsh http add sslcert ipport=1.1.1.1:443 certhash=HASH-VALUE appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlidentifier=MyCustomCTL sslctlstorename=CA verifyclientcertrevocation=disable verifyrevocationwithcachedclientcertonly=disable clientcertnegotiation=enable
Results from netsh http show sslcert
IP:port : 1.1.1.1:443
Certificate Hash : HASH-VALUE
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : MyCustomCTL
Ctl Store Name : CA
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
Reject Connections : Disabled
Disable HTTP2 : Not Set
Disable QUIC : Not Set
Disable TLS1.2 : Not Set
Disable TLS1.3 : Not Set
Disable OCSP Stapling : Not Set
Disable Legacy TLS Versions : Not Set
Anyone run into this or know the solution for it?