On a web server we have two different certificates in Intermediate Certification Authorities with the same subject name (and subject name identifier). One is expired and is stored in the Registry physical store. The other is valid and is stored in the Enterprise physical store. Requests to the server that send a client certificate where the subject name (sid) of a certificate in the trust chain matches the subject of these intermediate certificates fail withHTTP 403.13 Forbidden: Client certificate revoked. However when the client certificate is viewed on the server via the MMC certificates snap-in or clicking on the .cer file, the trust chain is valid and the serial number of the intermediate cert in the chain matches the valid non-expired cert from the Enterprise physical store. When the expired certs are deleted from the Registry physical store, requests to the server with the same client cert succeed.
I think that when IIS builds the trust chain it first searches the Registry store and finds the expired certificate, and uses it instead of continuing to search to find the valid cert in the Enterprise store. I think this is a bad implementation. IIS should continue searching and find the valid certs for the chain.