In Windows 2008 R2 it is (not yet) possible to create a certificate trust list (CTL) in order to restrict login with user certificates to IIS only to specific Certificate Authorities. However CTLs can be imported and then used with IIS. In order to achieve this, we need to use the utility MakeCTL which is included in the Windows 2003 Platform SDK (for example: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=D8EECD75-1FC4-49E5-BC66-9DA2B03D9B92). 1) Create a CTL with MakeCTL.exe (on a W2K3, or W2K8 non R2 server) and export it to a file. See also http://viisual.net/Configuration/IIS7-CTLs.htm. It is important to specify 1.3.6.1.4.1.311.10.1 as a custom purpose for this certificate. 2) Install the following CTL Hotfix on your W2K8 R2 UAG server (http://support.microsoft.com/default.aspx?scid=kb;EN-US;981506). 3) Open MMC with the Certificate snap-in on W2K8 R2 UAG server and import the CTL file (*.stl) you created into Intermediate Certificates (for Computer).
4) Determine the certhash + appid for the IIS site / UAG trunk: netsh http show sslcert ipport=a.b.c.d:443
5) Delete the existing SSL link: netsh http delete sslcert ipport=a.b.c.d:443
6) Link the SSL certificate + CTL with the IIS site / UAG trunk again: netsh http add sslcert ipport=128.1.0.82:443 certhash=xyz appid=abc sslctlidentifier=Name sslctlstorename=CA (important is that sslctlstorename=CA) 7) Activate the UAG configuration (therefore the registry settings will be stored in the TMG storage and will there after a reboot too).
Ed Price MSFT edited Revision 7. Comment: These are all formatting and spacing edits.
Ed Price MSFT edited Revision 1. Comment: Updated title case, added tags, and made minor edits.
Very useful Thomas!