Disabling Certificate Revocation List (CRL) Caching on IIS 10.0
Background Hello, community members! I am trying to disable CRL caching on IIS 10.0 in order to be able to fetch updated version of CRL each time I make a request to my website. It is required for development purposes: I revoke or un-revoke client certificate, publish latest CRL on my CA and want IIS to check the latest information. Setup What I completed as a setup step: Exported root CA certificate and installed it on my computer by following these articles: https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/health-diagnostic-performance/http-403-forbidden-access-website and https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/export-root-certification-authority-certificate. Set "Accept" for client certificates on IIS. Checked following materials about IIS CRL settings: CRL checking by IIS - Microsoft Community Hub, https://learn.microsoft.com/en-us/windows/win32/api/http/ns-http-http_service_config_ssl_param, https://learn.microsoft.com/en-us/archive/blogs/kaushal/disable-client-certificate-revocation-crl-check-on-iis. Actions What I am trying to do to disable CRL caching on IIS: Delete existing SSL binding for my website: netsh http delete sslcert ipport=0.0.0.0:3010. Add binding which tells IIS to download CRL each 10 seconds and not to cache it (see bold text): netsh http add sslcert ipport=0.0.0.0:3010 certhash=SOME_VALUE appid={SOME_VALUE} certstorename=My verifyclientcertrevocation=enable revocationfreshnesstime=10 urlretrievaltimeout=30000. Bold text parameters mean that we enable CRL checking, refresh CRL each 10 seconds and set HTTP timeout for CRL download to 30 seconds (30000 milliseconds). Verify that the information has been updated. If CertCheckMode is set to 4, certificate revocation verification will be done by downloading the remote CRL, even if we have the valid cached CRL on the server. It ignores the cached CRL completely. Restart IIS or reboot the machine: iisreset. Clear CRL cache: certutil -urlcache crl delete. Publish new CRL and verify that it doesn't contain our certificate. Send not revoked certificate: 403 status has been returned by IIS. This means that IIS uses cached CRL and above-mentioned settings for IIS doesn't work. If I disable CRL checking it works: verifyclientcertrevocation=disable. CRL is reachable. Question What settings should I change in order to disable CRL caching on IIS 10.0? I want IIS to download CRL each time I make a request to it.
.Net Core IIS App runs on Server 2016, not on Server 2022
We have an IIS App, a .Net Core application that runs fine on Server 2016. We have .Net framework 4.8 on both servers, IIS 10 on both servers and .Net Core 6.0. What happens on Server 2022 is that we receive an error that says can't reach this page in the browser. We have checked windows firewall rules, event logs, IIS logs and are stuck on this. Any suggestions are appreciated.
