I would like to configure IIS to send multiple stapled OCSP responses when sending its certificate chain to a web client at the start of an SSL/TLS connection. Currently, IIS only sends the OCSP response (signed indication from the issuing CA that the certificate is still valid and not revoked) for the server certificate, but doesn't send it for the intermediate certificates.
For instance, if my IIS web server certificate is issued by the Entrust CA, it may be signed by the Entrust intermediate certificate "Entrust L1C", which is then signed by the Entrust root CA certificate "Entrust 2048". In that circumstance, IIS is only sending the client the OCSP status for the server certificate, but not the OCSP validation status for the "Entrust L1C" certificate. So, the web client doesn't have to currently do an OCSP query to the Entrust CA for the server certificate (since the web server sends that OCSP response to the web client), but does have to do an OCSP query to the Entrust CA for "Entrust L1C" to verify the intermediate certificate also isn't revoked. If the web client is behind a tight firewall that doesn't allow browsing to random Internet IPs for OCSP, the web client is unable to know if the certificate is still valid, which is a problem.
How can I configure IIS to send OCSP responses (OCSP stapling) to web clients for the intermediate certificates in its certificate's chain as well? Multiple Certificate Status Request Extension is an Internet standard documented in RFC 6961 athttp://tools.ietf.org/html/rfc6961. Is there a way to configure IIS to do this?