Checking the Status of Client Certificates in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Certification authorities (CAs) cannot physically revoke your users' client certificates. However, they may publish Certificate Revocation Lists (CRLs) that are copied onto your computer, where you can search them for client certificates that are in revoked status. For information about retrieving CRLs from a CA and storing them on your computer, see "Retrieve a certificate revocation list" in Help and Support Center for Windows Server 2003.

The metabase properties that control CRL checking can be set or viewed using a COM object, or WMI scripts, or ADSI scripts. For information about configuring the metabase, see Configuring the Metabase.

To use a certificate revocation list to check the status of client certificates, take the following actions:

• Enable CRL checking.

• Optionally, configure the CRL on your computer to refresh at a fixed interval, even when the CRL on your computer is still valid.

• Optionally, change the default time interval for refreshing the CRL on your computer at a fixed interval.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).

Procedures

To enable and disable CRL checking

• Set the CertCheckMode Metabase Property. CRL Checking is enabled by default. The CRL will be refreshed by the CA when a new CRL is issued, unless you intervene by setting a CRL refresh interval.

To set the CRL refresh interval

• Change the setting of the RevocationFreshnessTime Metabase Property. You can refresh the CRL on your computer with the CRL on the CA server even when the cached CRL on your computer is valid.

To change the default interval to a custom time

• Set the RevocationURLRetrievalTimeout Metabase Property to a time in milliseconds.

Related Information

• For information about obtaining client certificates, see Obtaining Client Certificates in IIS 6.0.

• For information about enabling client certificates, see Enabling Client Certificates in IIS 6.0.

• For information about backing up client certificates, see Backing Up Client Certificates in IIS 6.0.

• For more information about WMI and ADSI, see IIS Administration Technologies on MSDN.