Certificate Revocation Lists and Internet Information Server 5.x

Internet Information Server 5.0 and 5.1 behave a little different than IIS 6.0 and 7.0 when you work with client certificates. If you followed the instructions to install a server certificate on the web server and a client certificate in the browser, you will get these warnings:

By default IIS 5.x checks the browser supplied certificate against a certificate revocation list (CRL).

When it has not been setup on the server, you will be prompted and get the following error afterwards in the browser:

There are two ways out:

  1. Setup a CRL on the server (duh!). See this for more information.
  2. Disable the checking of CRL’s by the server. The browser will still complain that the revocation information is not available. This is well suited for development scenarios.

Option 2 can be accomplished by editing the metabase of your webserver and setting the value of CertCheckMode to a value larger than zero. Assuming you want to set the value of the first IIS web site (w3svc/1):

  • From the c:inetpubadminscript folder run this command (via here):
    cscript adsutil.vbs SET w3svc/1/CertCheckMode 1
  • Use a little VBScript (from Tim Huffam‘s blog entry)

    Set oWeb = GetObject(“IIS://localhost/W3SVC/1”)
    oWeb.CertCheckMode = 1
    Set oWeb = Nothing

  • Use the MetaEdit 2.2 tool and add the new value CertCheckMode to LM/W3SVC/1 (or change it if it exists). Make sure that the Data value is larger than zero:

If it makes you feel good you can restart IIS after the changes. The dialog with the warning on certicificate revocation will not disappear, because you have only switched off the checking at the server. The information still isn’t available for the browser. The error at the pages will disappear, though.

That should get you going again.

Some other errors you might receive are 403.16 and 403.7. Check this knowledge base article to solve these.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s