For the previous thread (Certificates signed by ISRG Root X1 aren't enabled for client authentication on Windows - #9 by peterb), we determined the cause of the issue by trying to use CryptoAPI (via the .NET certificate abstractions) to build a certificate chain for the application policy 1.3.6.1.5.5.7.3.2 (clientAuth). This fails if the certificate chain is built using an intermediate certificate that is signed by ISRG Root X1 (or ISRG Root X2), and works if using an intermediate certificate that is signed by DST Root CA X3. Building the certificate chain also works if manually adding "Client Authentication" as an Intended Purpose to the ISRG Root X1 in the trust store.
5 Likes