What we want, is to create a Certificate Trust List and bind it to a IIS Site, on IIS 6.0 it's pretty much straight forward. On IIS 7 it's not that simple.
Before anything else, we need the MakeCTL.exe tool, wich can be obtained from Windows SDK for Windows Server 2008 and .NET Framework 3.5 package, found here: http://www.microsoft.com/downloads/details.aspx?FamilyId=E6E1C3DF-A74F-4207-8586-711EBE331CDC&displaylang=en
On the application server or the machine where the application resides, we need to run the tool with elevated privileges (Run as Administrator).
At the first screen click Next.
The following screen will ask for a prefix that identifies the CTL (later we will use this prefix as the Friendly Name for our CTL), for our example we will call it TuganologyTest.
Then we need to Add a Purpose for our CTL, in this case we'll use an Object ID with the value 1.3.6.1.4.1.311.10.1, wich identifies a "Certificate Trust List" purpose, a full list can be found here: http://support.microsoft.com/kb/287547
After we add a purpose, it should look something like this:
Choose Next.
Now we need to choose Add from Store option to select the certificates witch our CTL is going to contain (I chose a well known issuer for this example, you should use whatever issuer you need to trust in your application).
On this screen, we may use the View Certificate option to check if everything is OK.
At the Certificate Trust List Storage, we need to select the Certificate Store and click browse, check the Show physical stores option and navigate to Local Computer under Intermediate Certification Authorities.
After clicking OK and Next, we need to validate the Friendly Name of the CTL (witch we chose at the begining). Select Next and then Finish.
Now we have our CTL created, to make sure everything is accordingly with what we want, we can open an MMC Console, add the Certificates Snap-In (Computer Account), browse to the Intermediate Certification Authority and check if our CTL appears there.
Now that we wrapped up the CTL issue, we need to associate it to our application, for this we will use the netsh command, more information on it can be found here: http://technet.microsoft.com/en-us/library/cc725882(WS.10).aspx
First of, we need to run a command console with elevated privileges (run cmd.exe as administrator).
Execute the command: netsh http show sslcert
The output should be something like this:
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 24533c00fee7af7796331ca00f7ca29c49218a80
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
In our case, I have an application with SSL listening on port 443 (I created a Self Signed Certificate to achieve this)
Note that both CTL Identifier and CTL Store Name (red lines) are null, for future reference we need to keep the information from the IP:port, Certificate Hash and Application ID fields.
Now we need to delete this binding, witch can be done by running the following command:
netsh http delete sslcert ipport=0.0.0.0:443
After we delete it, we need to recreate it, but this time we will add our previously created CTL to the pot with the following command:
netsh http add sslcert ipport=0.0.0.0:443 certhash=24533c00fee7af7796331ca00f7ca29c49218a80 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlidentifier=TuganologyTest sslctlstorename=CA
Please note that we used the Friendly Name of the CTL, the certhash and appid are the same from the previous binding (witch we deleted earlier).
Now if we run the command to check the bindings again:
netsh http show sslcert
We get the following output:
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : 24533c00fee7af7796331ca00f7ca29c49218a80
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : TuganologyTest
Ctl Store Name : CA
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Now the CTL Identifier and Store name are no longer with null values, in fact we now have our application associated with our CTL.
I've written this post in English because I didn't find much information about this procedure (CTLs and IIS7.x bindings) online, hope it helps.
For doubts please contact: tuganologia@gmail.com
NR
