Re: IIS 6 behavior on checking clients' certificates (again)
From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 09/16/05
- Previous message: Ben: "RPC Server Unavailable When Requesting Computer Certificate"
- Next in thread: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Bernard Cheah [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Paul Adare: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 16 Sep 2005 08:57:45 -0500
In article <C18472D6-59BA-441A-9C69-2076BEBF1696@microsoft.com>,
Vsevolod@discussions.microsoft.com says...
> Hello !
>
> What should I do that I wouldn't need to have all intermediate CA
> certificates on IIS 6 side to sucessful certification chain build ?
> I'm sorry for repeated question but my last post to "Different IIS 5 & IIS
> 6 behavior on checking clients' certificates" thread is unanswered yet.
> Could Anybody help me ? Whose this bug ? Mine, IIS 5, IIS 6, ASP or
> anything else ?
>
> BR,
> Vsevolod.
>
For certificate revocation checking to work, you must ensure that the
server can grab *all* certificates and their CRLs for the *entire*
certificate chain.
You *cannot* do certificate validation *without* the intermediate
certificates, as it will resultin a revocation status cannot be
determined error.
With the release of MS04-11 last year, the revocation checking engine is
the same for btoh IIS 5 and IIS 6 (to be honest, for 2k and 2k3/XP).
What you will need to do is ensure that all certificates (other than the
root CA) have the AIA and CDP extensions in the issued certificates.
Brian
- Previous message: Ben: "RPC Server Unavailable When Requesting Computer Certificate"
- Next in thread: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Bernard Cheah [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Paul Adare: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Maybe reply: Brian Komar [MVP]: "Re: IIS 6 behavior on checking clients' certificates (again)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
