Checking the Status of Client Certificates in IIS 6.0

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Certification authorities (CAs) cannot physically revoke your users' client certificates. However, they may publish Certificate Revocation Lists (CRLs) that are copied onto your computer, where you can search them for client certificates that are in revoked status. For information about retrieving CRLs from a CA and storing them on your computer, see "Retrieve a certificate revocation list" in Help and Support Center for Windows Server 2003.

The metabase properties that control CRL checking can be set or viewed using a COM object, or WMI scripts, or ADSI scripts. For information about configuring the metabase, see Configuring the Metabase.

To use a certificate revocation list to check the status of client certificates, take the following actions:

  • Enable CRL checking.

  • Optionally, configure the CRL on your computer to refresh at a fixed interval, even when the CRL on your computer is still valid.

  • Optionally, change the default time interval for refreshing the CRL on your computer at a fixed interval.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer</STRONG>Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).

Procedures

To enable and disable CRL checking

  • Set the CertCheckMode Metabase Property. CRL Checking is enabled by default. The CRL will be refreshed by the CA when a new CRL is issued, unless you intervene by setting a CRL refresh interval.

To set the CRL refresh interval

To change the default interval to a custom time