000018993 - How to disable CRL checking in IIS 6.0 ?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018993
Applies ToRSA Key Manager Server
Microsoft Internet Information Server (IIS) 6.0
RSA Key Manager Client
IssueHow to turn on or off CRL checking in IIS 6.0 ?
HTTP 403 - Forbidden
If the end-entity certificate contains a Certificate Revocation List Distribution Point (CRLDP) extension, and the URI is not accessible from IIS, then the certificate will be rejected.
Client certificate revoked
CauseBy default, IIS 6.0 will check for the CRL if the CRLDP extension is present in the certificate. If the CRL can't be found at the specified URI, then IIS will reject the certificate and return an error 403 (Forbidden).

Create a file called CRL_check_switch.vbs with the following content:

Set oWeb = GetObject("IIS://localhost/W3SVC")

If oWeb.CertCheckMode = 1 Then
 oWeb.CertCheckMode = 0
 msgbox "IIS CRL Checking is actually turned OFF." & vblf & vblf & "Turning ON CRL cheking.", vbInformation
 oWeb.CertCheckMode = 1
 msgbox "IIS CRL Checking is actually turned ON." & vblf & vblf & "Turning OFF CRL cheking.", vbInformation
End If
Set oWeb = Nothing

Save the file and execute it on your IIS server.

Legacy Article IDa39779