We have a client certificate that is signed by an intermediate certificate which is signed by a root certificate. Now we want to build a policy that allows all client certificate that are signed by the intermediate certificate.
We currently have the following policy
- Require SSL or TLS Transport with Client Certificate Authentication (So a client certificate has to be present)
- Authenticate Against Identity Provider
In the identity provider the intermediate certificate is added as a trusted certificate. This works however it seems that the intermediate certificate is never checked because the authentication works even without having the root certificate installed in the gateway. If we only add the root certificate as a trusted certificate for the identity provider, the authentication fails even if the client sends the whole certificate chain.
Are there any other ways to accept all client certificates signed by an intermediate certificate, where the whole certificate chain is checked?