Thursday, 15 December 2011

CRL checking in IIS 6

It turns out that it is indeed easy peasy to understand how CRLs work in IIS 6.

If the certificate contains a CRL Distribution Point (CDP), IIS will try to contact it and if it can’t, 403.13 is your friend.

Thus CRL checking will always take place in IIS except when:

  • Certificates don’t contain a CDP.
  • CertCheckMode is set to 1 for that particular website.

Note that if CertCheckMode is not set, IIS takes that to mean enabled and also note that CertCheckMode is set on a website by website basis.

Simple right?

I wish I'd found Saurabh Singh's very informative post before I'd spent half the morning messing about with an application server and a CA server trying to work out what was going on. I'd like to believe that I would have reached the same conclusion by myself and I certainly was close, after a myriad of tests revealed that adding a CRL file to the local computer trust store made absolutely no difference, which is what actually prompted me to have another go at googleing for the an answer, but who knows.

I wonder how IIS 7 deals with CRLs.

No comments:

Post a Comment