View Complete Thread
  • Re: IIS 10 CTL not working correctly

    Nov 01, 2019 02:09 PM|brentil|LINK

    I'm not sure what you're trying to suggest?  If you remove the certhash and appid it unbinds the SSL certificate from the assigned website.  They're also required items to run netsh http add or update

    We've been doing CTL based CAC for a while so I'm familiar with the process on IIS6 through IIS 8.5 but the behavior in IIS 10 is where I'm having trouble, it's not respecting the CTL list that shows as being enabled.  Instead of filtering the list of user certs a user can choose from it shows them all of them.

    - Use MakeCTL to create the CTL list with the 1.3.6.1.4.1.311.10.1 code and add the certs and move it to the local computer CA

    - netsh http show sslcert (and get the details of the IP you want to modify)

    - netsh http delete sslcert ipport=1.1.1.1:443

    netsh http add sslcert ipport=1.1.1.1:443 certhash=HASH-VALUE appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlidentifier=MyCustomCTL sslctlstorename=CA verifyclientcertrevocation=disable verifyrevocationwithcachedclientcertonly=disable clientcertnegotiation=enable

    I've also used the update command instead too removing the extra options to do only the CTL addition for testing but that also doesn't respect the CTL.

    - netsh http update sslcert ipport=1.1.1.1:443 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certhash=HASH-VALUE sslctlstorename=CA sslctlidentifier=MyCustomCTL

    The output shows the CTL as being bound to the website but it's not respecting it.

    IP:port : 1.1.1.1:443
    Certificate Hash : HASH-VALUE
    Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout : 0
    Ctl Identifier : MyCustomCTL
    Ctl Store Name : CA
    DS Mapper Usage : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections : Disabled
    Disable HTTP2 : Not Set
    Disable QUIC : Not Set
    Disable TLS1.2 : Not Set
    Disable TLS1.3 : Not Set
    Disable OCSP Stapling : Not Set
    Disable Legacy TLS Versions : Not Set

    This is what it should look like

    This is what's actually happening;