Client certificate warnings on upgrade

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

If you have a Web site on Internet Information Services (IIS) 5.0 that requires client certificates, when you upgrade the server to Microsoft Windows Server 2003 with IIS 6.0, clients that connect to the site may receive one of the following error messages even if the client certificates are not controlled by a certificate trust list (CTL):

HTTP 403.16 Forbidden: Client certificate untrusted or invalid.

-or-

HTTP 403.16 Forbidden: Client certificate is ill-formed or is not

trusted by the web server.

-or-

HTTP Error 403.7: Forbidden: SSL client certificate is required.

In addition, when the client accesses the Web site, one of two things may happen:

  • The client may not receive the Client Authentication dialog box in the browser, and therefore cannot choose a client certificate that allows access to the Web site.

  • If the client receives the Client Authentication dialog box, the certificate list in the Client Authentication dialog box may not display the required client certificate.

These issues may occur if the client certificate was created by a certification authority that the IIS computer does not trust. In IIS 5.0, you could specify a CTL that contained certification authorities whose root certification authority (CA) certificates were installed in the personal certificate store on the local computer. However, in IIS 6.0, the root CA certificates must be installed in the Trusted Root Certification Authorities certificate store on the local computer. This is because IIS 6.0 verifies certificates based on the rules specified in the CryptoAPI. The CryptoAPI rejects certificates if the root CA certificates are not installed in the Trusted Root Certification Authorities certificate store on the local computer.

To resolve the error and display the certificate in the browser, you must install the root CA certificate in the Trusted Root Certification Authorities certificate store on the local computer.

Procedures

To install the root CA certificate in the Trusted Root Certification Authorities certificate store on the local computer

  1. Add a Certificates snap-in for the local computer. For more information about adding a Certificates snap-in, see "To manage certificates for a computer" in Windows Server 2003 Help and Support Center.

  2. Export the certificate from the Personal Certificate store on the local computer. For more information about exporting a certificate, see "To export a certificate" in Windows Server 2003 Help and Support Center.

  3. Import the certificate to the Trusted Root Certification Authorities certificate store on the local computer. For more information about importing a certificate, see "To import a certificate" in Windows Server 2003 Help and Support Center.