Background
Hello, community! I am trying to disable CRL caching on IIS 10.0 in order to be able to fetch updated version of CRL each time I make a request to my website. It is required for development purposes: I revoke or un-revoke client certificate, publish latest CRL on my CA and want IIS to check the latest information.
Question
What settings should I change in order to disable CRL caching on IIS 10.0? I want IIS to download CRL each time I make a request to it.
Setup
What I completed as a setup step:
- Set "Accept" for client certificates on IIS.
- Checked following material about IIS CRL settings: link.
Actions
What I am trying to do to disable CRL caching on IIS:
- Delete existing SSL binding for my website:
netsh http delete sslcert ipport=0.0.0.0:3010. - Add binding which tells IIS to download CRL each 10 seconds and not to cache it:
netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds). - Verify that the information has been updated.
If CertCheckMode is set to 4, certificate revocation verification will be done by downloading the remote CRL, even if we have the valid cached CRL on the server. It ignores the cached CRL completely.
- Restart IIS or reboot the machine:
iisreset. - Clear CRL cache:
certutil -urlcache crl delete. - Publish new CRL and verify that it doesn't contain our certificate.
- Send not revoked certificate: 403 status has been returned by IIS. This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work.
- If I disable CRL checking it works:
verifyclientcertrevocation=disable. - CRL is reachable.
