1

Background

Hello, community! I am trying to disable CRL caching on IIS 10.0 in order to be able to fetch updated version of CRL each time I make a request to my website. It is required for development purposes: I revoke or un-revoke client certificate, publish latest CRL on my CA and want IIS to check the latest information.

Question

What settings should I change in order to disable CRL caching on IIS 10.0? I want IIS to download CRL each time I make a request to it.

Setup

What I completed as a setup step:

  1. Set "Accept" for client certificates on IIS.
  2. Checked following material about IIS CRL settings: link.

Actions

What I am trying to do to disable CRL caching on IIS:

  1. Delete existing SSL binding for my website: netsh http delete sslcert ipport=0.0.0.0:3010.
  2. Add binding which tells IIS to download CRL each 10 seconds and not to cache it: netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds).
  3. Verify that the information has been updated.

Registry settings

SSL binding settings

If CertCheckMode is set to 4, certificate revocation verification will be done by downloading the remote CRL, even if we have the valid cached CRL on the server. It ignores the cached CRL completely.

  1. Restart IIS or reboot the machine: iisreset.
  2. Clear CRL cache: certutil -urlcache crl delete.
  3. Publish new CRL and verify that it doesn't contain our certificate.

Publishing updated CRL

  1. Send not revoked certificate: 403 status has been returned by IIS. This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work.

Non-revoked certificate

Certificate in Postman

Forbidden result

  1. If I disable CRL checking it works: verifyclientcertrevocation=disable.
  2. CRL is reachable.

CRL status

Kyrylo Antoshyn
  • 13
  • 4
  • By default retrieves a CRL whenever iis receives a client cert to make sure that cert is not revoked as long as local cache is expired. For this it contacts the CA to get the CRL and compares the list with the presented client cert. If for any reason it cannot retrieve the CRL, it will go ahead and throw error message as 403.13 even if cert is valid and not revoked. that's why you get 403.13, and this can also happen in cases where some Proxy/firewall may block access to CDP to get the CRLs. – samwu Feb 07 '23 at 06:51
  • CDP is reachable in my case. I tried to download it manually and tested using "certutil" tool. – Kyrylo Antoshyn Feb 07 '23 at 10:01
  • @samwu unfortunately, no. – Kyrylo Antoshyn Feb 10 '23 at 12:54
  • It is difficult to reproduce your problem, I suggest you open a case via: https://support.microsoft.com. – samwu Feb 12 '23 at 08:39
  • @samwu already opened: https://techcommunity.microsoft.com/t5/microsoft-iis/disabling-certificate-revocation-list-crl-caching-on-iis-10-0/m-p/3733305. :) – Kyrylo Antoshyn Feb 13 '23 at 09:14

0 Answers0