Disable Client Certificate Revocation (CRL) Check on IIS
I have been asked this question on several occasions on how to disable revocation check in IIS 7. It was pretty easy for IIS 6, on IIS 7 there is no documentation on how to do so. This post will describe on how to achieve this task.
Firstly, list out all the existing IIS bindings via command line as shown below:
netsh http show sslcert |
Default SSL Binding when added via IIS Manager IP:port : 0.0.0.0:443Certificate Hash : 40db5bb1bf5659a155258d1d007c530fcb8996c2Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}Certificate Store Name : MyVerify Client Certificate Revocation : EnabledVerify Revocation Using Cached Client Certificate Only : DisabledUsage Check : EnabledRevocation Freshness Time : 0URL Retrieval Timeout : 0Ctl Identifier : (null)Ctl Store Name : (null)DS Mapper Usage : DisabledNegotiate Client Certificate : Disabled |
NOTE:
|
In order to disable the revocation check, we need to delete the existing binding first. Before you do that, make a note of the above details, especially the certificate hash.
NETSH command to delete existing SSL binding: netsh http delete sslcert ipport=0.0.0.0:443 |
Now add the binding again using netsh as shown below:
NETSH command to add an SSL binding to disable CRL Check: netsh http add sslcert ipport=0.0.0.0:443 certhash=40db5bb1bf5659a155258d1d007c530fcb8996c2appid={4dc3e181-e14b-4a21-b022-59fc669b0914}certstorename=My verifyclientcertrevocation=disable |
Highlighted portion of the above command depicts that we are disabling the client certificate revocation. This adds a DWORD at the following location in registry:
| REGISTRY : HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfoDWORD : DefaultSslCertCheckModeValue : 1 |
DefaultSslCertCheckMode can take the following values. Click here for more info.
VALUE |
MEANING |
| 0 | Enables the client certificate revocation check |
| 1 | Client certificate is not to be verified for revocation. |
| 2 | Only cached certificate revocation is to be used |
| 4 | The DefaultRevocationFreshnessTime setting is enabled |
| 0x10000 | No usage check is to be performed |
Review the SSL bindings after executing the above command. The CRL check would be disabled.
netsh http show sslcert |
SSL Binding added via NETSH to disable CRL: IP:port : 0.0.0.0:443Certificate Hash : 40db5bb1bf5659a155258d1d007c530fcb8996c2Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}Certificate Store Name : MyVerify Client Certificate Revocation : DisabledVerify Revocation Using Cached Client Certificate Only : DisabledUsage Check : EnabledRevocation Freshness Time : 0URL Retrieval Timeout : 0Ctl Identifier : (null)Ctl Store Name : (null)DS Mapper Usage : DisabledNegotiate Client Certificate : Disabled |
NOTE: Client Certificate Revocation is always enabled by default.
More details on the netsh commands for HTTP can be found here: https://technet.microsoft.com/en-us/library/cc725882(v=ws.10).aspx#BKMK_2
MORE INFORMATION
NETSH Commands for HTTP in IIS 8:
With IIS there are 2 new SSL bindings viz. SNI Bindings and CCS Bindings. So the above commands would have to be modified slightly to incorporate these changes. So we have 2 additional parameters than what are listed in the above TechNet article . They are:
Tag |
Value |
| hostnameport | Unicode hostname and port for binding. |
| CCS | Central Certificate Store binding. |
hostnameport is very similar to the ipport. The only difference is that it takes a Unicode string as an input along with the port number.
Below are the modified commands for the corresponding bindings in IIS 8:
To delete a SNI Binding netsh http delete sslcert hostnameport=www.sni.com:443 |
To delete a CCS Binding netsh http delete sslcert ccs=443 |
To add a SNI Binding netsh http add sslcert hostnameport=www.sni.com:443 certhash=40db5bb1bf5659a155258d1d007c530fcb8996c2 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=My verifyclientcertrevocation =disable |
To add a CCS Binding netsh http add sslcert ccs=443 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} verifyclientcertrevocation =disable |
Comments
Anonymous
May 20, 2013
Is this easier? www.asprangers.com/.../How-to-Disable-CRL-check-on-IIS-7X.aspxAnonymous
May 21, 2013
The comment has been removedAnonymous
September 01, 2014
How to do this on Windows Server 2012, The above registry has been removed in 2012.Anonymous
September 01, 2014
The comment has been removedAnonymous
November 06, 2014
Checked on Windows Server 2012 with first CLI commands and it worked for me. Thanks.Anonymous
August 10, 2015
There is any reason for Disable Client Certificate Revocation ?Anonymous
August 10, 2015
The reason for me is that i have only one internal CA, which i need to shutdown for security reasons. As this is the internal CRL host aswell, the revocation check fails, and the certificate is not trusted.Anonymous
June 08, 2016
The text is white inside the black boxes, so it's unreadable against the white background.- Anonymous
June 23, 2016
@Matt. Thanks for the correct. This is corrected now.
- Anonymous
Anonymous
September 07, 2016
i know that few years passed, however:last command is not workingerror 87:The parameter is incorrect.also if we add registry settings to disable client cert revocation or to set ctlstorename for ccs binding we get similar error during "show sslcert" (The parameter is incorrect.)so, is there possibility to use ccs and to use client certificates from third party ca ?Anonymous
September 07, 2016
new info:it looks like verifyclientcertrevocation for ccs is nativly disabledthe problem appears, if site has more ssl bindings and the bidings are "old fashion" ones (ip:443), then the ssl binding has to be removed from the ip and made again with basicly one parameter that makes third party client certs working: verifyclientcertrevocation=disableAnonymous
January 13, 2017
Being meaning to add a comment for ages if simply add the key within the registry for the appropriate binding then there is no need to delete and re add it. Then simply reboot it.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\DWORD : DefaultSslCertCheckModeValue : 1