The web log of Joe

Enable certificate negotiation to stop multiple client certificate prompt

After installing your server SSL certificate in IIS and requiring client certificates, you may notice that your users are getting multiple certificate prompts when visiting the site. This is because client certificate negotiation is disabled by default.  Users with ActivClient installed will not see this because ActivClient has PIN caching.

You can enable client certificate negotiation by doing the following: 

netsh http show sslcert > cert.log
netsh http delete sslcert ipport=
netsh http add sslcert ipport= certhash=[Certificate Hash from cert.log] appid={[Application ID from cert.log]} certstorename=MY clientcertnegotiation=enable