/ notes / misc

IIS

Application Pool Identities

Docs: https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities

User ‘AppPoolName’ : IIS AppPool\AppPoolName

Disable check of client certificate revocation list

How to disable the check of client certificate CRL, Certification Revocation List. IIS will only check cartificate validity (start/end date, chain, etc.) but will not try to download CRL or use it.

Check current status: netsh http show sslcert

Change the behavior:

Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 (or parallel path)
Set (create/modify) [Dword] DefaultSslCertCheckMode=1 to disable CRL
At command line:
- net stop http
- net start http
- or, better, reboot the system

Values meaning:

0 = The client certificate revocation check is enabled
1 = Revocation information will not be checked for client certificates

More info:

https://www.asptricks.net/2016/01/how-to-disable-crl-check-on-iis-8x.html
https://techcommunity.microsoft.com/t5/iis-support-blog/disable-client-certificate-revocation-crl-check-on-iis/ba-p/377134