Hello, We use client certificate authentication. Client certs are issued by an intermediate CA. When visiting the client cert secured website, the only certs offerred by the browser are those which are issued from a root CA. The intermediate CA cert is installed on the web server. If we install the intermediate cert on the client, the browser then offers the client cert. Is this correct behavior and if so why??, as I was expecting the client to offer the client cert issued by the intermediate CA as the web server has both root and intermeidate certs installed Many thanks

yes, this is expected. Certificate selection API displays only valid certificates and which are issued by a trusted authority. Therefore both — server and client must trust given CA certificate.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

thanks but I find that a bit confusing since if I have a client certificate (including private key) from a root ca, then it does show up without the root ca cert being present on the client, but a client cert (with private key) issued by a subordinate CA does not show up.

it seems that certificate chaining engine is unable to locate subordinate CA certificate via AIA extension. Since your root CA certificate is explicitly installed on client machines — there are no problems. My thought is that CDP/AIA locations on subordinate CA is not correctly configured.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki