Site icon TheWindowsUpdate.com

Disable Client Certificate Revocation (CRL) Check on IIS

This post has been republished via RSS; it originally appeared at: IIS Support Blog articles.

I have been asked this question on several occasions on how to disable revocation check in IIS 7.  It was pretty easy for IIS 6, on IIS 7 there is no documentation on how to do so. This post will describe on how to achieve this task. Firstly, list out all the existing IIS bindings via command line as shown below:

netsh http show sslcert

Default SSL Binding when added via IIS Manager

IP:port                      : 0.0.0.0:443

Certificate Hash             : 40db5bb1bf5659a155258d1d007c530fcb8996c2 Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name       : My

Verify Client Certificate Revocation    : Enabled

Verify Revocation Using Cached Client Certificate Only    : Disabled

Usage Check                  : Enabled

Revocation Freshness Time    : 0

URL Retrieval Timeout        : 0

Ctl Identifier               : (null)

Ctl Store Name               : (null)

DS Mapper Usage              : Disabled

Negotiate Client Certificate : Disabled

NOTE:

  1. Client Certificate Revocation is always enabled by default.
  2. Application ID of “{4dc3e181-e14b-4a21-b022-59fc669b0914}” corresponds to IIS.

NETSH command to delete existing SSL binding:

netsh http delete sslcert ipport=0.0.0.0:443

NETSH command to add an SSL binding to disable CRL Check:

netsh http add sslcert ipport=0.0.0.0:443 certhash=40db5bb1bf5659a155258d1d007c530fcb8996c2 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=My verifyclientcertrevocation=disable

 

REGISTRY  : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo DWORD    : DefaultSslCertCheckMode Value         : 1

 

VALUE

MEANING

0 Enables the client certificate revocation check
1 Client certificate is not to be verified for revocation.
2 Only cached certificate revocation is to be used
4 The DefaultRevocationFreshnessTime setting is enabled
0x10000 No usage check is to be performed

 

netsh http show sslcert

SSL Binding added via NETSH to disable CRL:

IP:port                      : 0.0.0.0:443

Certificate Hash             : 40db5bb1bf5659a155258d1d007c530fcb8996c2 Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914} Certificate Store Name       : My

Verify Client Certificate Revocation    : Disabled

Verify Revocation Using Cached Client Certificate Only    : Disabled

Usage Check                  : Enabled

Revocation Freshness Time    : 0

URL Retrieval Timeout        : 0

Ctl Identifier               : (null)

Ctl Store Name               : (null)

DS Mapper Usage              : Disabled

Negotiate Client Certificate : Disabled

NOTE: Client Certificate Revocation is always enabled by default. More details on the netsh commands for HTTP can be found here: http://technet.microsoft.com/en-us/library/cc725882(v=ws.10).aspx#BKMK_2

MORE INFORMATION

NETSH Commands for HTTP in IIS 8: With IIS there are 2 new SSL bindings viz. SNI Bindings and CCS Bindings. So the above commands have to be modified slightly to incorporate these changes. There are 2 additional parameters to be considered, which are:

Tag

Value

hostname:port Unicode hostname and port for binding.
CCS Central Certificate Store binding.

hostname:port is very similar to the ip:port. The only difference is that it takes a Unicode string as an input along with the port number. Below are the modified commands for the corresponding bindings in IIS 8:

 

To delete a SNI Binding

netsh http delete sslcert hostnameport=www.sni.com:443

 

To delete a CCS Binding

netsh http delete sslcert ccs=443

 

To add a SNI Binding

netsh http add sslcert hostnameport=www.sni.com:443 certhash=40db5bb1bf5659a155258d1d007c530fcb8996c2 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=My verifyclientcertrevocation=disable

 

To add a CCS Binding

netsh http add sslcert ccs=443 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} verifyclientcertrevocation=disable

 

 

Exit mobile version