How to Create a Certificate Trust List in Windows Server 2008 R2 for Use with Unified Access Gateway

In Windows 2008 R2 it is (not yet) possible to create a certificate trust list (CTL) in order to restrict login with user certificates to IIS only to specific Certificate Authorities. However CTLs can be imported and then used with IIS. In order to achieve this, we need to use the utility MakeCTL which is included in the Windows 2003 Platform SDK (for example: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=D8EECD75-1FC4-49E5-BC66-9DA2B03D9B92).

1. Create a CTL with MakeCTL.exe (on a W2K3, or W2K8 non R2 server) and export it to a file. See also http://viisual.net/Configuration/IIS7-CTLs.htm. It is important to specify 1.3.6.1.4.1.311.10.1 as a custom purpose for this certificate.

2. Install the following CTL Hotfix on your W2K8 R2 UAG server (http://support.microsoft.com/default.aspx?scid=kb;EN-US;981506).

3. Open MMC with the Certificate snap-in on W2K8 R2 UAG server and import the CTL file (*.stl) you created into Intermediate Certificates (for Computer).  

4) Determine the certhash + appid for the IIS site / UAG trunk: netsh http show sslcert ipport=a.b.c.d:443

5) Delete the existing SSL link: netsh http delete sslcert ipport=a.b.c.d:443

6) Link the SSL certificate + CTL with the IIS site / UAG trunk again: 
    netsh http add sslcert ipport=128.1.0.82:443 certhash=xyz appid=abc sslctlidentifier=Name sslctlstorename=CA (important is that sslctlstorename=CA)

7. Activate the UAG configuration (therefore the registry settings will be stored in the TMG storage and will there after a reboot too).