Updating IIS’ default CRL (Certificate Revocation List)

certificatecrliis-8.5

I'm in the process of creating a (IIS 8.5) web server which will require client authentication. Client authentication will be carried out using client certificates which will be issued by a third party CA.

I want to be able to do the following:

Periodically check the third party's CRL.
Authenticate the client's certificate against the third party CA.

Is this possible?

Best Answer

You should make sure that the root certificate of the third party CA is installed on your server. This ensures you can authenticate the client certs on the server.

A pointer to a certificate's CRL for is stored in the certificates itself, IIS does not have a default CRL. You need to make sure that your server has access to the CRL Distribution Points as specified in the client certificate.

Other than that, you don't have configure anything in regards to CRLs on the server.

Related Solutions

Ssl – IIS 7.0 – SSL certificate – renew or new

You only need to create a temporary website with IIS 6.0. IIS 7.0 allows you to create multiple pending requests at a time.

IIS 7.0 actually has a bug that causes the renew function to generate a CSR with a very large key (much larger than you want). Because of this, it is recommended that you create a new pending request instead of selecting the renew option. Once installed you simply switch the SSL binding on the website and you won't have any downtime. This also allows you to generate a new key every time you renew which increases security.

The certificate provider (CA) doesn't care whether you use the new option or the renew option and you could use either option whether you are staying with the same CA or ordering from a new one.

Ssl – Setup IIS to require client certificate and to use anonymous authentication

Ok we have done the same as you. We worked the other way around. We first secured IIS with the client & server certificate. We did this on IIS Express (still in development while I'm posting this). We allowed in IIS express applicationhost.config to overwrite specific parts of the web.config. I.e.: <section name="windowsAuthentication" overrideModeDefault="Allow" />

Server side Config :

<sytem.serviceModel>
<bindings>
      <wsHttpBinding>
        <binding name="ClientCert">
          <security mode="Transport">
            <transport clientCredentialType="Certificate" />
          </security>
        </binding>
      </wsHttpBinding>
</bindings>
<behaviors>
<!--We have a custom service behavior for claim based security -->
        <behavior name="wsHttpCertificateBehavior">
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
          <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
          <serviceAuthorization serviceAuthorizationManagerType="MyNamespace.AdamAuthorizationManager, MyAssembly">
            <authorizationPolicies>
              <add policyType="MyNamespace.AdamAuthorizationPolicy, MyAssembly" />
            </authorizationPolicies>
          </serviceAuthorization>
          <serviceCredentials>
            <serviceCertificate findValue="YourServerCertificateNameWithoutCN=" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <clientCertificate>
              <authentication revocationMode="NoCheck" mapClientCertificateToWindowsAccount="true" />
            </clientCertificate>
          </serviceCredentials>
        </behavior>
</behaviors>
<services>
      <service name="MyNamespace.OrderService" behaviorConfiguration="wsHttpCertificateBehavior">
        <endpoint address="https://iisurl/OrderService.svc/ClientCert" contract="wsHttpCertificateBehavior.IOrderService" binding="wsHttpBinding" bindingConfiguration="ClientCert">
        </endpoint>
      </service>
</services>
</sytem.serviceModel>
<system.webServer>
<security>
      <authentication>
        <windowsAuthentication enabled="true" />
        <anonymousAuthentication enabled="true" />
        <iisClientCertificateMappingAuthentication defaultLogonDomain="YourDomain" enabled="true" oneToOneCertificateMappingsEnabled="true">
          <oneToOneMappings>
            <add enabled="true" certificate="Base64HashOfTheCertificate" userName="YourUserName" password="YourPassword" />
          </oneToOneMappings>
        </iisClientCertificateMappingAuthentication>
      </authentication>
      <authorization>
        <add users="*" accessType="Allow" />
      </authorization>
      <!--Require SSL *AND* require a client certificate -->
      <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
    </security>
</system.WebServer>

On the client:

<system.serviceModel>
      <wsHttpBinding>
        <binding name="ClientCertificate">
          <security mode="Transport">
            <transport clientCredentialType="Certificate"/>
          </security>
        </binding>
      </wsHttpBinding>
    <behaviors>
      <endpointBehaviors>
        <behavior name="wsHttpCertificateBehavior">
          <clientCredentials>

            <clientCertificate findValue="YourClientCertificateNameWithoutCN=" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
            <serviceCertificate>
              <authentication revocationMode="NoCheck"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <client>

      <endpoint name="ClientCertificate" address="https://iisurl/OrderService.svc/ClientCert" contract="MyNamespace.IOrderService" binding="wsHttpBinding" bindingConfiguration="ClientCertificate" behaviorConfiguration="wsHttpCertificateBehavior">
      </endpoint>
    </client>
</system.serviceModel>

What helped us a lot was enable Tracing, Logging in the service and the custom authorization policy and the IIS Trace Logs.

We have iisurl mapped to 127.0.0.1 in our host file, so we have trusted certifcates. For the iisClientCertificationMapping check this out.

Don't know if your ssl setup is correct. We have a powershell script for that. Some parts of it:

Generating the root certificate (powershell)

Invoke-Command -ScriptBlock{ . "C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\makecert.exe" -n "CN=YourRootCA" -r -sv YourRootCA.pvk YourRootCA.cer}


    $certFile = get-childitem $exPath | where {$_.FullName -match "GlobalVisionServicesRootCA.cer"} 
    if ($certFile -ne $NULL) { 
        echo "Discovered the YourRootCA.cer in the same folder as this script, installing it in the LocalMachine\Root certificate store.." 
        $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certFile.FullName)
        $rootStore = new-object system.security.cryptography.x509certificates.x509Store 'Root','LocalMachine'
        $rootStore.Open('ReadWrite')
        $rootStore.Add($cert) 
        $rootStore.Close() 
    }

Generating the server certificate (command line):

makecert.exe  -sk YourDevSrvCert -iv YourRootCA.pvk -n "CN=iisurl" -ic YourRootCA.cer -sr localmachine -ss my -sky exchange -pe yourservercertificate.cer

Generating the server client (command line):

makecert.exe  -sk ClientDevSrvCert -iv YourRootCA.pvk -n "CN=iisurl" -ic GlobalVisionServicesRootCA.cer -sr localmachine -ss my -sky exchange -pe iisurl.cer

Binding the certificates to IIS (command line, XP specific):

httpcfg.exe delete ssl -i "0.0.0.0:443"
httpcfg.exe" delete urlacl url="https://iisurl:443/"

httpcfg.exe set urlacl url="https://iisurl:443/" user=Everyone
httpcfg.exe" set ssl -i "0.0.0.0:443" -h ThumpPrint

change the ThumpPrint to the ThumpPrint of the certificate with subject name iisurl. I recommend you fully automate this with powershell, we have this to, so we can develop on multiple machines. But i can't past all of it here.

I hope this helps you. With this config, if you browse over https to the url iisurl/OrderService It asks you for a client certificate. (In IE)

You can also watch this log: C:\WINDOWS\system32\Logfiles\HTTPERR

Best Answer

Related Solutions

Ssl – IIS 7.0 – SSL certificate – renew or new

Ssl – Setup IIS to require client certificate and to use anonymous authentication

Related Topic