<div>How do I disable the certificate revocation list in IIS7? In IIS6 and previos, this would work:</div> <div> </div> <div> Set oWeb = GetObject("IIS://localhost/W3SVC")
oWeb.CertCheckMode = 1
oWeb.SetInfo
Set oWeb = Nothing</div> <div> </div> <div>But it seems like the CertCheckMode property has been replaced by the:</div> <div> </div> <div>
CertCheckMode
Enable or disable CRL (certificate revocation list) checking
This value will now be stored in http.sys in the PHTTP_SERVICE_CONFIG_SSL_PARAM object.
</div> <div> </div> <div>But how do I access/modify this in IIS7? Can it be configured via some nice looking GUI tool, or am I still stuck to CLI tools and script writing?</div> <div> </div> <div>/pJ</div>
<div class=ForumPostContentText id=ctl00_ctl01_bcr_ctl00___PostRepeater_ctl02_PostViewWrapper> <div>I finally resorted to the last most dreaded option "Registry hunting" and stumbled upon:</div> <div> </div> <div>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443</div>
<div> </div> <div>DefaultSslCertCheckMode</div> <div> </div> <div>Which was defult set to 0, but I changed it to 1 and rebooted (important) and....guess what...it worked!</div> <div> </div> <div>/pJ</div> <div> </div> <div>PS Perhaps one for the FAQ?</div></div>
You can also edit this using "netsh http" - you would probably need to do a combination of "netsh http show sslcert", "netsh http delete sslcert" and "netsh http add sslcert"
Anil Ruia
Software Design Engineer
IIS Core Server
<div>Thanks. Could you please post some actuall examples on how to do it? Or point to good documentation (which I have so far not been able to find).</div> <div> </div> <div>/pJ</div>
<div>Is there any way to make these changes stick without rebooting? That is at least true when I edit in the registry (no suprise really). I noticed that the netsh does not seem to read from the registry either, as it did not detect the changes I made in there.
Not that I plan to keep changing these values all day long though :-)</div> <div> </div> <div>/pJ</div>
Using the registry directly is completely unsupported - from my experience using netsh or the C APIs from http.h causes the settings to be effective immediately and not require a reboot - are you seeing differently?
Anil Ruia
Software Design Engineer
IIS Core Server
IP:port : 0.0.0.0:443
Certificate Hash : b2068f506b31351c8e278b55f3cdd35efd71c8ad
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
(No other SSL stuff exists).
I remember that there was a DefaultSslCertCheckMode in the registry (see above posts) which indicate that there might be a global override setting here. In my registry, it's 1 (true) which seem to be the case why this doesn't work, but shouldnt sitesettings
override?
This is actually quite strange, beucase further investigation shows (perhaps not to suprisingly) that the information in the registry is the same information edited via the netsh command (at least they are VERY alike). But, despite the netsh showing "Disabled"
for client revocation, the registry entry is 1 (true). All other entries though are the same in the registry as in netsh...
improwise
31 Posts
Disable Certificate Revocation List
Apr 17, 2007 09:55 PM|LINK
oWeb.CertCheckMode = 1
oWeb.SetInfo
Set oWeb = Nothing</div> <div> </div> <div>But it seems like the CertCheckMode property has been replaced by the:</div> <div> </div> <div>
CertCheckMode
Enable or disable CRL (certificate revocation list) checking
This value will now be stored in http.sys in the PHTTP_SERVICE_CONFIG_SSL_PARAM object.
improwise
31 Posts
Re: Disable Certificate Revocation List
Apr 23, 2007 02:18 AM|LINK
anilr
2343 Posts
Microsoft
Re: Disable Certificate Revocation List
Apr 23, 2007 05:06 PM|LINK
You can also edit this using "netsh http" - you would probably need to do a combination of "netsh http show sslcert", "netsh http delete sslcert" and "netsh http add sslcert"
Software Design Engineer
IIS Core Server
improwise
31 Posts
Re: Disable Certificate Revocation List
Apr 23, 2007 06:16 PM|LINK
anilr
2343 Posts
Microsoft
Re: Disable Certificate Revocation List
Apr 23, 2007 08:08 PM|LINK
"netsh http show sslcert" will show the details of the existing sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : ...
Application ID : ...
Certificate Store Name : ...
...
then delete the cert using "netsh http delete sslcert"
and recreate using
netsh http add sslcert ipport=0.0.0.0:443 certhash=... appid=...
certstorename=MY verifyclientcertrevocation=disable
of course, this would require some parsing code to do in a script, would be easier to do using HttpSetServiceConfiguration with HttpServiceConfigSSLCertInfo - http://msdn2.microsoft.com/en-us/library/aa364503.aspx
Software Design Engineer
IIS Core Server
improwise
31 Posts
Re: Disable Certificate Revocation List
Apr 26, 2007 07:31 AM|LINK
anilr
2343 Posts
Microsoft
Re: Disable Certificate Revocation List
Apr 26, 2007 04:02 PM|LINK
Software Design Engineer
IIS Core Server
improwise
31 Posts
Re: Disable Certificate Revocation List
Aug 20, 2007 11:42 AM|LINK
Some more "strangness". I receive this for an expired client cert:
HTTP Error 403.17 - Forbidden
Description: Your client certificate has expired or is not yet valid.
Error Code: 0x800b0101
despite having this in the netsh:
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : b2068f506b31351c8e278b55f3cdd35efd71c8ad
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
(No other SSL stuff exists).
I remember that there was a DefaultSslCertCheckMode in the registry (see above posts) which indicate that there might be a global override setting here. In my registry, it's 1 (true) which seem to be the case why this doesn't work, but shouldnt sitesettings override?
/pJ
improwise
31 Posts
Re: Disable Certificate Revocation List
Aug 20, 2007 11:50 AM|LINK
This is actually quite strange, beucase further investigation shows (perhaps not to suprisingly) that the information in the registry is the same information edited via the netsh command (at least they are VERY alike). But, despite the netsh showing "Disabled" for client revocation, the registry entry is 1 (true). All other entries though are the same in the registry as in netsh...
What's going on?
/pJ
dbaier
15 Posts
Re: Disable Certificate Revocation List
Aug 20, 2007 12:00 PM|LINK
dominick
_____________________________
Dominick Baier - http://www.leastprivilege.com