Forum Discussion

Al_17441's avatar
Al_17441
Icon for Nimbostratus rankNimbostratus
Apr 11, 2008

Have IE display only certificates from a list of Cert issuers

I'm currently trying to have the browser only display certs that have a certain issuer. Because we are dealing with Govt. SmartCard technology, it holds multiple certificates and displays them all an...
application delivery
dev
devops
iRules
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 12, 2008
I deal with DoD smart cards as well, and if we're talking about the same system, the cards have an identity certificate and two email certificates (signature and encryption). To implement what you're talking about, we modified the client certificate bundle in the SSL client profile to ONLY include the SUBORDINATE CA certificates of the identity certs and removed the DoD roots (also no email Sub-CA's). The DoD roots act as a "catch all", so removing it removes the display of anything not specifically listed in the bundle. If you want to get fancy, you can also restrict to only hardware tokens (smart cards not soft certs) by filtering on the certificate policy OID, which is different between the two, and also different between DoD ECA (external certificate authority) soft and hard tokens (Verisign, DST, ORC).

 

 

I hope this helps.

 

 

Kevin