CertCheckMode

  • Article

The CertCheckMode property enables or disables Certificate Revocation List (CRL) checking. When CertCheckMode is set to a value greater than 0 (CertCheckMode>0), the CRL does not search for certificates that have been revoked. When CertCheckMode is equal to 0 (CertCheckMode=0), the CRL searches for certificates that have been revoked.

Schema Attributes

Attribute Name

Value

ADSI/WMI Data Type

DWORD

ABO Data Type

DWORD_METADATA

Schema Default

0

Internal Default

Not specified.

Upper Bound

0

Lower Bound

Not specified

Internal ID

2160

Friendly ID

No friendly named is defined for this identifier in iiscfng.h. Use the Internal ID attribute listed above.

Property Attributes

INHERIT

User Type

IIS_MD_UT_SERVER

Configurable Locations

You can configure this property at the following locations in the IIS metabase.

Metabase Path

IIS Admin Object Type

/LM/W3SVC

IIsWebService

/LM/W3SVC/n

IIsWebServer

Flags

Flag Name

MD_CERT_NO_REVOC_CHECK

Versions Applicable

[IIS 5.0][IIS 5.1][IIS 6.0]

Description

When MD_CERT_NO_REVOC_CHECK is set to true, certificate revocation is not performed.

Bitmask

1 (hex 0x00000001)

Friendly Bitmask ID

MD_CERT_NO_REVOC_CHECK

Internal ID

None specified.

Flag Name

MD_CERT_CACHE_RETRIEVAL_ONLY

Versions Applicable

[IIS 5.0][IIS 5.1][IIS 6.0]

Description

When MD_CERT_CACHE_RETRIEVAL_ONLY is set to true, the CRL will not be updated from a remote location, such as a CRL URL location, during a certificate revocation verification. In this case, the CRL that is cached on the client is used. If the CRL is expired, the certificate revocation verification fails.

Bitmask

2 (hex 0x00000002)

Friendly Bitmask ID

MD_CERT_CACHE_RETRIEVAL_ONLY

Internal ID

None specified.

Flag Name

MD_CERT_CHECK_REVOCATION_FRESHNESS_TIME

Versions Applicable

[IIS 5.0][IIS 5.1][IIS 6.0]

Description

When MD_CERT_CHECK_REVOCATION_FRESHNESS_TIME is set to true, the client CRL is replaced by the remote CRL, even if the CRL that is cached on the client is valid. The value of the RevocationFreshnessTime property is used as a counter, which determines the frequency of this action.

Bitmask

4 (hex 0x00000004)

Friendly Bitmask ID

MD_CERT_CHECK_REVOCATION_FRESHNESS_TIME

Internal ID

None specified.

Flag Name

MD_CERT_NO_USAGE_CHECK

Versions Applicable

[IIS 5.0][IIS 5.1][IIS 6.0]

Description

When MD_CERT_NO_USAGE_CHECK is set to true, the certificate provided by the client is not verified as valid.

Bitmask

65536 (hex 0x00010000)

Friendly Bitmask ID

MD_CERT_NO_USAGE_CHECK

Internal ID

None specified.

Requirements

Client: Requires Windows XP Professional, Windows 2000 Professional, or Windows NT Workstation 4.0.

Server: Requires Windows Server 2003, Windows 2000 Server, or Windows NT Server 4.0.

Product: IIS

See Also

Concepts

Comparison of IIS Administration Features

Using IIS Programmatic Administration

RevocationFreshnessTime

RevocationURLRetrievalTimeout

SSLAlwaysNegoClientCert

SSLCertHash

SslCtlIdentifier

SslCtlStoreName

SSLStoreName

SslUseDsMapper

Request.ClientCertificate Collection