Example. If the root store contains CA1 and CA2, you can configure Website 1 with no IIS CTL and both CA1 and CA2 are trusted. If for WebSite 2 you create IIS CTL and add CA1, then only CA1 will be trusted for Site 2.
Note: Using CTL's you cannot limit the list of CA's sent back to the client during the TLS handshake. I.e. you can't use CTL's to limit the list of certificates that Internet Explorer is showing.
Add the "Certificates" plugin to the mmc of your choice.
Point it to "Local Computer"
Open up the resulting tree in the left pane and navigate to the "Trusted Root Certification Authorities\Certificates" folder.
Check in the right hand pane which of the certificates show "Client Authentication" in the "Intended Purposes" column.
For each of (those certificates except those you want to accept) do:
doubleclick on the certificate
Go to the "Details" pane.
- Click on the "Edit Properties..." button.
uncheck the "Client Authentication" box (You might have to click on the "Enable only the following purposes" first)