Re: IIS 6 behavior on checking clients' certificates (again)

From: Brian Komar [MVP] (bkomar_at_nospam.identit.ca)
Date: 09/19/05 

Date: Mon, 19 Sep 2005 07:54:06 -0500

In article <2EF41538-1B82-4885-94EA-BD1E288160E4@microsoft.com>,
Vsevolod@discussions.microsoft.com says...
> Hello, Brian !
>
> "Brian Komar [MVP]" wrote:
> > >
> > Run two tests for me:
> >
> > At the client, run certutil -verify -urlfetch <certfile>
> > against the Web server certificate as the certfile.
> >
> > Do the same test at the Web server against the client certificate as the
> > certfile.
> >
> > Post the output. You may have to load the 2k3 Adminpak at both the IIS
> > 6.0 server and at the XP client to run the command. My bet is that,
> > because you used the default configuration, there are issues with the
> > AIA and CDP extensions.
> Brian, you won :) I'm fool :(
> After I have run certutils at the Web server against the client
> certificate I saw that almost everything is Ok excepting expired Delta CRL
> for client certificate issuer. After pubishing new one my problem have
> disapeared.
>
> I'm very grateful you for your assistance.
>
> My conclusions :
> 1. IIS 6 requires mandatory CDP & AIA certificate extensions for correct
> certificate chain building while IIS 5 doesn't.
> 2. All basic & Delta CRL have to be valid and not expired.
>
> Am I right ?
>
>
> BR,
> Vsevolod.
>
This is correct, and the way it should work. CRL checking is not enabled
by default on IIS 5.0, if I remember correctly, while it is enforced on
IIS 6.0. As you can see, for full revocation information to be
determined, both the base *and* delta CRL must be time valid. Without a
valid delta CRL, the IIS service cannot determine the revocation status
of the certificate.

Brian

Relevant Pages

  • Re: security header is not present in the incoming message
    ... Similar problem appears when I run my client directly under IIS instead of under ASP.NET Development Server. ... There are no certificates in the certificate store that match the find value of 'CN=WSE2QuickStartServer'. ... 'Hello World with certificate policy. ...
    (microsoft.public.dotnet.security)
  • Re: Quick Start certificate
    ... Where do I specify what the root path is. ... Then run the client. ... Did you give your web server identity permission to ... It's done through the certificate tool that's installed ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: Authorization issues with WSE 3.0 running on IIS 5.0
    ... The certificate is stored in your user profile, while the client application ... Change the policy to look in the "Local Computer / Personal" store for the ... > on IIS. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Confused about SSL/Client Authentication
    ... that we want the user name off of the client cert to appear in the IIS ... > My certificate might contain an OU field that says I ... >> client authentication, in general. ...
    (comp.security.misc)
  • Re: Obtaining an SSL (test) certificate
    ... Typical "client certificates" which can be used for client authentication ... You can generate your own certificate for this purpose automatically using ... installation has nothing to do with the IIS server. ... with a "choose one of your certs to present to server". ...
    (microsoft.public.platformsdk.security)