SSL client certificate selection
We are developing internal web applications that rely mutual SSL authentication. Our users consists of both Windows and Mac users. The user may have multiple certificates in login key chain. To help user select the right certificate when prompted by Safari, the server sends reduced list of CAs. Even though the server sends one CA as part of SSL cert negotiation, Safari browser shows list of client certificates from user's key chain.
For ex:
Login key chain has two user identities A issued from CA_A and B issued from CA_B. When web server sends trusted CA list to browser, it only sends CA_A. But on Safari, users see certificates issued from CA_A and CA_B. Most other browsers Chrome on OS X and Chrome, IE on Windows shows only a single certificate.
Want to understand if this is a bug or expected behavior. Any other way of doing this to help reduce user confusion in selecting multiple certs?
Thanks in advance!
Regards
Anil
MacBook Pro, OS X Yosemite (10.10.2)