IIS sends a long list of CAs with the
certificate request, but not the one my client certificate is signed
with.
You said it worked with IE 6.
If this is the problem, you should get exactly the same behaviour with IE 6 than with Mozilla.
The solution seems to be to get IIS to send the correct CA certificate (RSA Data Security) list. Since this is not a Mozilla issue at all, I won't bore you with this any longer.
BTW the list of root IIS presents is completely unrelated to the actual list of roots you've told it to trust for client certificates.
IIS will only send you in this list the root certificates present inside the root certificate store of the computer and enabled for SSL.
Mozilla will need to have locally available the intermediate certificate to go up to the root.
Some other web servers do not behave this way and have less constraints.
