I have .net core web application which runs using kestrel. There we have client certificate authorization, which works fine, but there is one issue, if user have some custom company related client certificates then browser offers big list of client certificates. But we accept only certain certificates. So question is how to filter out client certificates based on root certificates. I haven't found any way to pass root certificate list to client, i can only validate them after user already selected certificate. I have seen few websites where browser offers to select only compatible certificates, but as they use different technology it doesn't help much with .net core
See example using Kestrel here. I've found it to not work on Windows personally though so I would host on Linux.
For more information on Windows, see here.