CertCheckMode Metabase Property

Applies To: Windows Server 2003, Windows Server 2003 with SP1

The CertCheckMode Metabase Property enables or disables Certificate Revocation List (CRL) checking. CertCheckMode is set to 0 by default (CertCheckMode=0), which means that IIS by default searches for an updated CRL.

This metabase property is closely related to the RevocationFreshnessTime Metabase Property and the RevocationURLRetrievalTimeout Metabase Property.

Attribute Name Attribute Value

XML Data Type

DWORD

WMI Data Type

SINT32

ADSI Data Type

DWORD

ABO Data Type

DWORD

ABO Metabase Identifier

MD_CERT_CHECK_MODE

Attributes

INHERIT

Default Value

0

MetaFlagsEx

CACHE_PROPERTY_MODIFIED

User Type

IIS_MD_UT_SERVER

ID

2160

Configurable Locations

You can configure this property at the following locations in the IIS metabase.

Metabase Path IIS Admin Object Type

/LM/W3SVC/n

IIsWebServer

/LM/W3SVC

IIsWebService

Values

Constant Value Description

MD_CERT_NO_REVOC_CHECK

0x00000001

Certificate revocation checking is not performed.

MD_CERT_CACHE_RETRIEVAL_ONLY

0x00000002

During certificate revocation verification, the CRL will not be updated from a remote location, such as a CRL at an external URL. In this case, the CRL that is cached on the client is used. If the CRL is expired, the certificate revocation verification fails.

MD_CERT_CHECK_REVOCATION_FRESHNESS_TIME

0x00000004

The client CRL is replaced by the CRL at a remote location, even if the CRL that is cached on the client is valid. The value of the RevocationFreshnessTime Metabase Property determines the frequency of this action.

MD_CERT_NO_USAGE_CHECK

0x00010000

The certificate provided by the client is not verified as valid.

Important

The MD_CERT_NO_REVOC_CHECK, MD_CERT_CACHE_RETRIEVAL_ONLY, and MD_CERT_CHECK_REVOCATION_FRESHNESS_TIME flags are mutually exclusive.

Code Example

For general code examples, see Code Examples to Configure Metabase Properties.