⇒ This is just a collection of notes, not a structured or comprehensive document. ⇐
IIS
Application Pool Identities
Docs: https://learn.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities
User ‘AppPoolName’ : IIS AppPool\AppPoolName
Disable check of client certificate revocation list
How to disable the check of client certificate CRL, Certification Revocation List. IIS will only check cartificate validity (start/end date, chain, etc.) but will not try to download CRL or use it.
Check current status: netsh http show sslcert
Change the behavior:
- Move to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443(or parallel path) - Set (create/modify) [Dword]
DefaultSslCertCheckMode=1to disable CRL - At command line:
net stop httpnet start http- or, better, reboot the system
Values meaning:
- 0 = The client certificate revocation check is enabled
- 1 = Revocation information will not be checked for client certificates
More info:
- https://www.asptricks.net/2016/01/how-to-disable-crl-check-on-iis-8x.html
- https://techcommunity.microsoft.com/t5/iis-support-blog/disable-client-certificate-revocation-crl-check-on-iis/ba-p/377134