Background
Hello, community! I am trying to disable CRL caching on IIS 10.0 in order to be able to fetch updated version of CRL each time I make a request to my website. It is required for development purposes: I revoke or un-revoke client certificate, publish latest CRL on my CA and want IIS to check the latest information.
Question
What settings should I change in order to disable CRL caching on IIS 10.0? I want IIS to download CRL each time I make a request to it.
Setup
What I completed as a setup step:
Set "Accept" for client certificates on IIS.
Checked following material about IIS CRL settings: link.
Actions
What I am trying to do to disable CRL caching on IIS:
Delete existing SSL binding for my website: netsh http delete sslcert ipport=0.0.0.0:3010.
Add binding which tells IIS to download CRL each 10 seconds and not to cache it: netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds).
Verify that the information has been updated.
Registry settings
SSL binding settings
If CertCheckMode is set to 4, certificate revocation verification will be done by downloading the remote CRL, even if we have the valid cached CRL on the server. It ignores the cached CRL completely.
Restart IIS or reboot the machine: iisreset.
Clear CRL cache: certutil -urlcache crl delete.
Publish new CRL and verify that it doesn't contain our certificate.
Publishing updated CRL
Send not revoked certificate: 403 status has been returned by IIS. This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work.
Non-revoked certificate
Certificate in Postman
Forbidden result
If I disable CRL checking it works: verifyclientcertrevocation=disable.
CRL is reachable.
CRL status
Related
I receive the following message after binding our SSL wildcard certificate to our TFS site.
One or more intermediate certificates in the certificate chain are missing. To resolve this issue, make sure that all of the intermediate certificates are installed.
Does the certificate need to authenticate to the internet?
I've added this wildcard cert to other site binding and this is the first time I've seen this message.
How do I resolve this message?
I imported DigiCert High Assurance CA in Trusted Root on both TFS Build and Application server.
I want to call a url through https. In my trust store I have the certificate of web site, but it has been expired.
However when I call the website through my client, my connection get successful. Does this mean that by default http-client not check for the validity of certificate if I have added it to trust store? Do I have to check the validity of certificate manually?
In the Server
I have configured a intermediate certificate .pfx file in the IIS and created a https (443) port using binding option. I use certificate for Authorisation also I am expecting a client certificate from the client , I enabled the Require SSL and clien certificate required option in the IIS.
I checked the Intermediate certificate authorities for the root certificate and they also presents, checked the .pfx file installed in the certificate store (Local Machine) also presents.
I created .cer file from the above .pfx file with include private key option and shared the .cer file with my client and he has to attach the .cer file for authorisation .
Above is the REST wcf service with POST.
In the Client Side
I tested this application after getting the .cer file, attach that to my request in my client.exe and calling the service - it returns .403 fobidden error.
In the IIS log it is logged as 403.16 , sc-win32-status code = 2148204816 error
Please help me my above approach is correct and how to avoid this error.
Is configuring CTL is the option , or I need to get a separate client certificate for use from my client side.
You need to make small steps to debug this.
First import SSL server certificate to LocalMachine\My store. Verify
that certificate is trusted (by double-clicking it and verifying
chain).
Setup SSL binding in IIS. Verify that you can access the https site (even WCF service gives some documentation page on http/s).
Import client certificate in client CurrentUser\My store. Verify that certificate is trusted (by double-clicking it and verifying
chain).
Set SSL require mode on your WCF service on IIS. Verify that when you access https site of the WCF service a certificate is prompted and no trust error is returned (again, the documentation page should be displayed)
Server certificate must have Server Authentication extension. Client certificate must have Client Authentication extension in it. Client has to trust server certificate. Server has to trust Client certificate. This means that CRLs from both chains must be reachable.
Currently in our environment, we have CRL checking enabled for ADFS, but do we also need to leave CRL checking enabled for IIS7.5? Our IIS server is setup behind a firewall for outgoing traffic only, no incoming traffic.
Are there any benefits/issues we might run into if disable CRL checking? I haven't been able to find a proper answer to my question anywhere, so I thought I'd post a question here.
Thanks.
The top benefit is performance boost, as CRL checking is slow.
The top disadvantage is security where you allow revoked certificates to pass when CRL checking is disabled.
I know i am late here but few days before i worked with client ssl certificate authentication an i got sc-status 403 sc-substatus 13 (403.16) from IIS.
It was about CRL check for certificate revocation.
We could disable/enable it but the best practices is to keep it enable only if you are integrating Certifying Authorities certificates of your country in your app.
If you working with self created certificate then you might disable it.
I'm new to mutual SSL. Therefore my understanding how client certifcates might be wrong.
When using Client certificates in IIS, do they need to be issued from the same certificate (or CA) as the IIS HTTPS binding has configured?
My dev IIS has a self signed certificate.
For the client certificate, I've created a CA and a Client certificate according to
the post here.
The CA is in my "Trusted Root Certification Authorities" of the local Computer.
The Client certificate is in my personal certificate folder.
On IIS I've set Client certificates to accept.
The first strange Thing is that when I browse to my page, the IE always shows me 403.7. Even I've disabled the IE setting "Don't prompt for client certificate selection...", there is no window opening for the certificate selection.
Also when accessing the page with a HttpWebRequest with Client cert attached, the response is always 403. Unfortunately there I did not figure out how to get the sub status.
Why doesn't IIS accept my Client certificate when the RootCA of the Client certificate is in the trusted root store?
Is there a way to get more details where the problem might be?
Thanks
Thomas
Finally could solve the issue:
The CA and Client certificates which I generated according to the tutorial here did NOT have the private key assigned in the certificate store. I had to remove the certificates from the cert store and Import the PFX file including the private key.
Second, the client certificate needs to be in the Current User/Personal store so IE does pick it up. I initallly generated it in the Current Computer/Personal store.
There might be a direct way how to create the two certificates including Private key with makecert. But the PFX import was the easiest way for me.
After 3 days of try and error on my side: If you use IIS10 on Windows2022, TLS1.3 is turned on by default.
The SSL handshake seems not to be implemented correctly in browsers/curls/.... for this case.
For testing reasons turn off TLS1.3
In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
Add:
DisabledByDefault as Dword with 1 and restart the server (not only IIS!)