If you are using client SSL certificates to authenticate to your application hosted in IIS. You need to pass valid ssl certificate. Valid means a certificate wich have its CRL and IIS can access those CRL URL in order to check certificate is revoked or not. If will attach invalid certificate with expired date & time or invalid CRL or IIS is unable to reach CRL we might get following errors:-
1. Use command line or powershell
a. View all SSL certs
netsh http show sslcert
b.Verify SSL Certificate bindings & Verify Client Certificate Revocation is Enabled
IP:port : 0.0.0.0:443
Certificate Hash : c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
c. Delete 0.0.0.0:443 bindings
netsh http delete sslcert ipport=0.0.0.0:443
d. Add ssl cert to 0.0.0.0:443
netsh http
add sslcert ipport=0.0.0.0:443 certhash=c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=My verifyclientcertrevocation=disable
or
add sslcert ipport=0.0.0.0:443 certhash=c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstore=My verifyclientcertrevocation=disable
b.Verify SSL Certificate bindings & Verify Client Certificate Revocation is Disabled
IP:port : 0.0.0.0:443
Certificate Hash : c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reboot is not required, And you are ready to go. Check it again :-)
2. Registry modify
Need to Set [Dword] DefaultSslCertCheckMode=1 to disable CRL check
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]
[Dword] DefaultSslCertCheckMode=1
Then Reboot the system for the changes to take into effect.
Referance:
http://blogs.msdn.com/b/kaushal/archive/2012/10/15/disable-client-certificate-revocation-check-on-iis.aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/cc307220(v=vs.85).aspx
Tags: How to Disable CRL check on IIS 8.X
- sc-status 403 sc-substatus 13
- sc-win32-status 2148081683
How to stop CRL verification from IIS?
1. Use command line or powershell
a. View all SSL certs
netsh http show sslcert
b.Verify SSL Certificate bindings & Verify Client Certificate Revocation is Enabled
IP:port : 0.0.0.0:443
Certificate Hash : c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
c. Delete 0.0.0.0:443 bindings
netsh http delete sslcert ipport=0.0.0.0:443
d. Add ssl cert to 0.0.0.0:443
netsh http
add sslcert ipport=0.0.0.0:443 certhash=c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=My verifyclientcertrevocation=disable
or
add sslcert ipport=0.0.0.0:443 certhash=c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstore=My verifyclientcertrevocation=disable
b.Verify SSL Certificate bindings & Verify Client Certificate Revocation is Disabled
IP:port : 0.0.0.0:443
Certificate Hash : c9e04ad89bf30a6ab5f7d1341d2e652ff6f0c14f
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Disabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Reboot is not required, And you are ready to go. Check it again :-)
2. Registry modify
Need to Set [Dword] DefaultSslCertCheckMode=1 to disable CRL check
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]
[Dword] DefaultSslCertCheckMode=1
Then Reboot the system for the changes to take into effect.
Referance:
http://blogs.msdn.com/b/kaushal/archive/2012/10/15/disable-client-certificate-revocation-check-on-iis.aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/cc307220(v=vs.85).aspx
Tags: How to Disable CRL check on IIS 8.X