August 22, 2008 - 13:14 UTC - Tags: security IIS CRL
I was trying to figure out how to use client certificates with IIS, but IIS kept complaining with a message of "HTTP 403.13 - Forbidden: Client certificate revoked", even though the certificate was not revoked.
Disclaimer
This should not be used in production environments (but you probably wouldn't use XP to run IIS there anyways :-) ).
The problem
The CRL (certificate revocation list) location stated in the client certificate was not available from the IIS server I was running on my laptop. If IIS cannot contact the CRL location, it deems the certificate revoked (which makes sense in some ways).
Changing the IIS config
I found it was possible to disable the CRL check through a metabase property called CertCheckMode. However changing this property was not as easy as I'd hoped.
I found several scripts around the web explaining that I needed to connect to winmgmts:/root/MicrosoftIISv2. While this was working on a Windows Server, I could not make it work on Windows XP. I kept getting a 0x8004100E which translates to "Invalid Namespace".
In the end though, I found that you could use the following script instead:
Disclaimer
This should not be used in production environments (but you probably wouldn't use XP to run IIS there anyways :-) ).
The problem
The CRL (certificate revocation list) location stated in the client certificate was not available from the IIS server I was running on my laptop. If IIS cannot contact the CRL location, it deems the certificate revoked (which makes sense in some ways).
Changing the IIS config
I found it was possible to disable the CRL check through a metabase property called CertCheckMode. However changing this property was not as easy as I'd hoped.
I found several scripts around the web explaining that I needed to connect to winmgmts:/root/MicrosoftIISv2. While this was working on a Windows Server, I could not make it work on Windows XP. I kept getting a 0x8004100E which translates to "Invalid Namespace".
In the end though, I found that you could use the following script instead:
set obj = GetObject ( "IIS://localhost/W3svc")
WScript.Echo("CertCheckMode:" & obj.CertCheckMode)
obj.CertCheckMode = 1
obj.SetInfo()
WScript.Echo("CertCheckMode:" & obj.CertCheckMode)
June 1, 2009 - 04:18 UTC
nagakeciks
CRL list
Thanks for the script , it works :-)
About Erlend
Security guy with some thoughts on secure development.
Tag cloud
Categories
Blogroll
