IIS Client Certificate Revocation Check Disable

A couple of weeks back, a certificate was approaching it's expiration date on an IIS server and the update - although pretty straight forward, caused a major issue for the service running on that server.

I had the new certificate in PFX format, I've installed it on the computer certificate store and it was available in the IIS Manager console. All the certificates for the Root and Intermediate authorities were property installed and the clients had access to the CRL urls.

However, when I switched the certificate, the clients were not able to communicate property with the website. After going through the logs on the clients and the application, I discovered that the clients were using client certificates in order to authenticate and the validation process was failing for those certificates since my server could not check their revocation.

I opened up a command prompt to get more information on the bindings on the website since there are settings that are not available when using the IIS Manager console and used the command:

netsh http show sslcert

Make a note of the appid value, we're going to need it later on!

As it turns out, when updating the certificate on a website, a new binding is created and not all settings are transferred to the new one. The Verify Client Certificate Revocation setting in particular, is enabled by default and if disabled will be enabled.

Since the server could not access the CRLs of the client certificates, the authentication failed.  Unfortunately, the setting cannot be changed directly and requires the binding to be recreated.

To remove the binding, I used the netsh http command with the following syntax:

netsh http delete sslcert ipport=

The command to add the binding with the correct settings was a little bit trickier:

netsh http add sslcert ipport= certhash=40db5bb1bf5659a155258d1d007c530fcb8996c2
certstorename=My verifyclientcertrevocation=disable

Let's go though each parameter. The certhash is the hash of the certificate to use, the appid is the identity of the application (from the first step), the certstorename corresponds to the name of certificate store and the verifyclientcertrevocation is the setting we want to configure.

I'd suggest preparing the command that adds the binding before removing it in order to minimize the downtime of the site.

The Verify Client Certificate Revocation setting is now disabled and the clients are able to authenticate.

You can also control this setting using the registry. The key HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\ contains a key for each binding. Create a DWORD named DefaultSslCertCheckMode under the key of your binding and use the below values to control the behavior of IIS:
  • 0: The client certificate revocation check is enabled
  • 1: Revocation information will not be checked for client certificates
  • 2: Only cached certificate revocation is to be used
  • 4: The DefaultRevocationFreshnessTime is enabled
If you choose to use the registry to configure the setting, you'll have to restart the server for it to take effect.

Read more about the netsh command here.

Popular posts from this blog

How to Configure Message Forwarding on a Mailbox Level

Configuring a Certificate on Exchange Receive Connector