Wednesday 13 January 2016

[solved] Escepe verify client cert revocation CRL in IIS 8.X

If you are using client SSL certificates to authenticate to your application hosted in IIS. You need to pass valid ssl certificate. Valid means a certificate wich have its CRL and IIS can access those CRL URL in order to check certificate is revoked or not. If will attach invalid certificate with expired date & time or invalid CRL or IIS is unable to reach CRL we might get following errors:-

  • sc-status 403 sc-substatus 13
  • sc-win32-status 2148081683

How to stop CRL verification from IIS?



1. Use command line or powershell


a. View all SSL certs
netsh http show sslcert

b.Verify SSL Certificate bindings & Verify Client Certificate Revocation is Enabled
    IP:port                      : 0.0.0.0:443
    Certificate Hash             : c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

c. Delete 0.0.0.0:443 bindings
netsh http delete sslcert ipport=0.0.0.0:443

d. Add ssl cert to 0.0.0.0:443
netsh http
add sslcert ipport=0.0.0.0:443 certhash=c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=My verifyclientcertrevocation=disable

or

add sslcert ipport=0.0.0.0:443 certhash=c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstore=My verifyclientcertrevocation=disable




b.Verify SSL Certificate bindings & Verify Client Certificate Revocation is Disabled
    IP:port                      : 0.0.0.0:443
    Certificate Hash             : c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Disabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

Reboot is not required, And you are ready to go. Check it again :-)


2. Registry modify
Need to Set [Dword] DefaultSslCertCheckMode=1 to disable CRL check
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]
[Dword] DefaultSslCertCheckMode=1

Then Reboot the system for the changes to take into effect.



Referance:
http://blogs.msdn.com/b/kaushal/archive/2012/10/15/disable-client-certificate-revocation-check-on-iis.aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/cc307220(v=vs.85).aspx

Tags: How to Disable CRL check on IIS 8.X