Security |
When using certificate mapping you will need to configure IIS 5.0 to only trust a limited number of CAs. In Windows 2000 Server and IIS 5.0, this is performed through certificate trust lists (CTLs).
A CTL is a set of certificates determined as trustworthy by an administrator. For a client authentication certificate to be used successfully, it must be signed (issued) by a trusted CA listed in the CTL.
For example, if you only trusted certain certificates issued by two CAs, such as ExplorationAir Corp. CA and VeriSign, then you could define a CTL that only lists these CAs. If a user attempts to connect to your Web server using a client authentication certificate issued by any other CA, access will be denied.