Friday, 16 November 2012

Disable Certificate Revokation List (CRL) Checking in IIS 7.x for client certificates

Roughly a year ago I was pulling my hair out trying to sort out some SSL issues with IIS 6, one of which necessitated disabling CRL checking and I thought that I should find out how to do the same in IIS 7.x, so here it is (I realize that I should try to find out what has changed for IIS 8, now):

I created a domain certificate request from IIS, assigned the certificate to a website and then run the following command, which shows the current state of the binding.
C:\>netsh http show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : 86fc14086c953edac86b8d8f9022c8baae2ad6f6
    Application ID          : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Enabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : (null)
    Ctl Store Name          : (null)
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled
Annoyingly, there isn't a modify flag, which means that the certificate binding needs to be deleted first and then re-added.
So first, the certificate binding must be deleted:
C:\>netsh http delete sslcert ipport=0.0.0.0:443

SSL Certificate successfully deleted
Then it must be re-added:
C:\>netsh http add sslcert ipport=0.0.0.0:443 certhash=86fc14086c953edac86b8d8f9022c8baae2ad6f6
appid={4dc3e181-e14b-4a21-b022-59fc669b0914}
certstore=MY verifyclientcertrevocation=disable

SSL Certificate successfully added
A final check to ensure that this has worked:
C:\>netsh http show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                 : 0.0.0.0:443
    Certificate Hash        : 86fc14086c953edac86b8d8f9022c8baae2ad6f6
    Application ID          : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name  : MY
    Verify Client Certificate Revocation    : Disabled
    Verify Revocation Using Cached Client Certificate Only    : Disabled
    Usage Check    : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout   : 0
    Ctl Identifier          : (null)
    Ctl Store Name          : (null)
    DS Mapper Usage    : Disabled
    Negotiate Client Certificate    : Disabled
This is useful for situations where firewalls prevent checking of CRLs, it's no use if all servers have an up to date CRL (at least IE will not not let you use a revoked client certificate to authenticate with)

9 comments: