IIS尝试与客户端协商互相信任的连接，因为客户端证书是自签名的，因此拒绝信任它。

IIS tries to "negotiate" a mutually trusted connection with the client and because the client certificate is self-signed it refuses to trust it.

您的选项：

1. 使用知名认证机构颁发的证书。


2. 运行您自己的CA基础架构，将其根CA证书添加到服务机器的受信任的根证书存储区中


3. 将自签名证书添加到服务计算机的受信任根目录中。 这可能会导致微妙而严重的安全风险。我个人反对此选项，因为它感觉真的不安全。


4. 切换到不使用客户端证书的其他身份验证方案。

1. Use a certificate issued by a well known certificate authority. This would work but you'll have to reissue the certificate every year or so.
2. Run your own CA infrastructure, add its root CA certificate into "trusted root" certificate store of the service machines and issue certificate signed with that root (likely via intermediate certificates).
3. Add the self-signed certificate into "trusted root" of the service machines. This may induce subtle yet serious security risks. I personally am against this option because it feels really unsafe.
4. Switch to some other authentication scheme which doesn't use client certificates.