August 22, 2008 - 13:14 UTC - Tags: security IIS CRL
I was trying to figure out how to use client certificates with IIS, but IIS kept complaining with a message of "HTTP 403.13 - Forbidden: Client certificate revoked", even though the certificate was not revoked.
DisclaimerThis should not be used in production environments (but you probably wouldn't use XP to run IIS there anyways :-) ).
The problemThe CRL (certificate revocation list) location stated in the client certificate was not available from the IIS server I was running on my laptop. If IIS cannot contact the CRL location, it deems the certificate revoked (which makes sense in some ways).
Changing the IIS configI found it was possible to disable the CRL check through a metabase property called
CertCheckMode. However changing this property was not as easy as I'd hoped.
I found several scripts around the web explaining that I needed to connect to winmgmts:/root/MicrosoftIISv2. While this was working on a Windows Server, I could not make it work on Windows XP. I kept getting a 0x8004100E which translates to "Invalid Namespace".
In the end though, I found that you could use the following script instead:
set obj = GetObject ( "IIS://localhost/W3svc")
WScript.Echo("CertCheckMode:" & obj.CertCheckMode)
obj.CertCheckMode = 1
obj.SetInfo()
WScript.Echo("CertCheckMode:" & obj.CertCheckMode)