How can I request a client certificate only from a particular CA

Question

Is it possible to request client certificates issued only by a particular CA (Certificate Authority)? The site is using IIS 7.5, and we have client certificates assigned to users following this article - http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/. CTL does not seem to have any effect on this because the server will always advertise all acceptable CA names, regardless if they are in the CTL or not. http://blogs.msdn.com/b/saurabh_singh/archive/2007/12/07/certificate-trust-list-not-being-honored-by-iis-5-0-6-0-7-0.aspx

Answer 1

• Run MMC as an Administrator on the server.
• Add the Certificates Add-in, selecting the Computer account.
• In each of the sub-folders, for each of the certificates you DO NOT want to be included:
  • If the Intended Purpose has or contains Client Authentication:
    • Right-click on the certificate
    • Make sure "Enable only the following purposes" is selected
    • Uncheck "Client Authentication"
    • Click OK.

I had to do this for over 400 certificates on two servers... twice (because GPOs overwrote my settings).