My expired client certificates no longer display when connecting to my Web Server using IE8…

Hello there!

 

I recently worked on customer issue in where a behavior change was noted after upgrading to Internet Explorer 8.  The issue deals with clients certificates no longer displaying in the IE client certificate display list dialog when connecting to a Web Server that requires a client certificate for secure communication (connecting over HTTPS using SSL).

The customer noted that using IE6 and IE7, the client certificates would display in the client certificate display list dialog:

image

Please note:   Client certificates were removed from the above image to protect the innocent and the guilty.  :)

 

Upon initial view of the behavior, it seemed that Microsoft had regressed a behavior found in IE6 and IE7.  However, upon further review, it was determined that the behavior seen in IE8, is actually a “by design” change for IE8 and Windows 7:

It was determined that expired certificates showing up in the IE client certificate display list dialog was a high pain point for customers. This was due to users picking the wrong certificate and thereby failing to authenticate when the set of certificates a user could select from contained both valid and expired certificates.

 

Fortunately, you can revert back to the IE6/IE7 behavior by adding the below registry key to IE client machine:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl]

"Feature_ClientAuthCertFilter"=dword:00000002

 

Please note:   The above Feature control key uses and older method and so you cannot set this FCK, per process.  The registry key needs to be set in the following manner (the above key value should work under HKCU, as well):

  image

 

With the registry key added, closing and restarting IE should allow the expired client certificates to be displayed when connecting to the Web Server requiring client certificate authentication.

Well, that about wraps it up for this blog.  I hope it was helpful to you!

 

Kindest Regards,

The IE Support Team