MORE INFORMATION

The empty or blank certificate list is usually displayed because either you have no client certificates or you have no client certificates that are trusted by IIS. A third, less common reason stems from a corrupted Certificate Trust List (CTL) on the client or IIS computer.

The CTL is built from certificates in the Trusted Root Certification Authorities certificate store and corruption is usually in the form of two or more certificates with the same Issuer identity. These duplicate identities are usually caused by repetitive installations of root certificates or certificates that are installed to the wrong certificate store.

To eliminate duplicate certificates, follow these steps:

1. Locate the thumbprint of the root Certificate Authority (CA) certificate that was used to sign (that is, verify) the personal or client certificate that you want to use.
   1. In Internet Explorer on the client computer, on the Tools menu, click Internet Options.
   2. Click the Content tab, and then click Certificates.
   3. Select the Personal certificate store.
   4. Double-click the client certificate that you are trying to use.
   5. Click the Certification Path tab.
   6. Double-click the top certificate in the path.
   7. Click the Details tab.
   8. Scroll down to the Issuer and Thumbprint extensions and make a note of these values. You will use these to identify and remove duplicate identities on the client computer and IIS server.
2. On the client computer, remove duplicate certificates.
   1. In Internet Explorer on the client computer, on the Tools menu, click Internet Options.
   2. Click the Content tab, and then click Certificates.
   3. Select the Trusted Root Certification Authorities certificate store.
   4. Double-click the client certificate that you are attempting to use.
   5. Compare the Issuer and Thumbprint fields to the client certificate Issuer and Thumbprint fields. Delete any certificates that MATCH the client certificate's Issuer but that DO NOT match the client certificate's Thumbprint.
      
      Note Also delete any certificates that have different Issuer and Subject (that is, Issued To and Issued By) fields, because all certificates in this store must be "self-signed" (that is, they must have the same Issuer and Subject).
3. On the IIS computer, add the Certificates (Local Computer) Microsoft Management Console (MMC) snap-in.
   1. Open a new Management Console. To do this, click Start, click Run, type Mmc.exe, and click OK.
   2. On the Console menu, click Add/Remove Snap-in.
   3. Click Add.
   4. Double-click Certificates, select Computer Account, and then click Next.
   5. In the Select Computer dialog box, select Local Computer, click Finish, and then click Close to close the Add Standalone Snap-in dialog box.
4. On the IIS computer, remove duplicate certificates.
   1. Expand the Certificates (Local Computer) node.
   2. Expand the Trusted Root Certification Authorities node.
   3. Expand the Certificates node.
   4. Double-click the client certificate that you are attempting to use.
   5. Compare the Issuer and Thumbprint fields to the client certificate Issuer and Thumbprint fields and delete any certificates that MATCH the client certificate's Issuer but that DO NOT match the client certificate's Thumbprint.
      
      Note Also delete any certificates that have different Issuer and Subject (that is, Issued To and Issued By) fields, because all certificates in this store must be "self-signed" (that is, they must have the same Issuer and Subject).