How to do something like in applicationHost.config to apply sslFlags to “/” but nothing within the virtual directory?

On an IIS 10.0 server hosting https://example.com, what do I put in my applicationHost.config so that all of the following is true:

 - https://example.com/ does not request a client certificate.
 - https://example.com/index.html does not request a client certificate.
 - Everything else , https://example.com/* , requests and requires a client certificate.
 - https://example.com/index.html is the default document for https://example.com/

<configuration>
   <location path="">
      <system.webServer>
         <defaultDocument enabled="true">
            <files>
               <add value="index.html" />
            </files>
         </defaultDocument>
         <security>
            <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128">
         </security>
      </system.webServer>
   </location>
   <location path="index.html">
      <system.webServer>
         <security>
            <access sslFlags="Ssl, Ssl128">
         </security>
      </system.webServer>
   </location>
   <location path="/">
      <system.webServer>
         <security>
            <access sslFlags="Ssl, Ssl128">
         </security>
      </system.webServer>
   </location>
</configuration>

does not work because <location path="/"> is not allowed.