How to configure certificate trust lists in Internet Information Services 5.0

This step-by-step article describes how to create and configure Certificate Trust Lists (CTLs) by using the Certificate Trust List Wizard in Internet Information Services (IIS) version 5.0.

A CTL is a list of trusted certification authorities (CAs) for a particular Web site. You can use CTLs to configure your Web server to accept certificates from a specific list of CAs, and automatically verify client certificates against this list. Only users with a client authentication certificate that is issued by a CA in the CTL can gain access to the server.

Each Web site on your server can be configured to accept certificates from a different CTL. You may want to do this if you need a different list of trusted CAs for each Web site.

For example, an intranet administrator can create a CTL that is specific to each department's Web site on the company network. Only certificates that are from CAs on a particular department's CTL are accepted by IIS. When members of a particular department log on with a client certificate from a CA on that department's CTL, they are automatically authenticated.

Use the Certificate Trust List Wizard in IIS to create new CTLs and modify existing CTLs.

Notes

• By default, the most commonly used CA root certificates are already installed by IIS.
• You can create and manage CTLs at the Web site level only. CTLs do not apply to virtual directories or files.
• CTLs are not available on FTP sites.
• The certificate that is added to the CTL needs to be from a Root CA. Trusted certificates from an Intermediate CA will fail. This is for security reasons and is by design.

Create a new certificate trust list

To create a new CTL:

1. Log on to your Windows 2000-based computer as administrator.
2. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
3. In the Internet Information Services window, click the plus sign (+) next to * server name to expand the group.
4. Right-click the Web site for which you want to create a CTL (for example, Default Web Site), and then click Properties.
5. Click the Directory Security tab, and then click Edit under Secure communications.
6. Click to select the Enable certificate trust list check box, and then click New. The Certificate Trust List Wizard starts.
7. Click Next.
8. To add a certificate to the CTL, click Add from Store or Add from File, click (or locate) the certificate that you want to add, and then click OK (or Open). The certificate is added to the Current CTL certificates list.
9. Repeat step 8 to add the certificates that you want to the CTL, and then click Next.
10. Type a name and description for the CTL in the appropriate boxes, and then click Next.
11. Click Finish, and then click OK on the The Certificate Trust List wizard succeeded message that appears. The CTL that you created is displayed in the Current CTL box.
12. Click OK twice and then quit Internet Services Manager, or close the IIS snap-in.

Modify an existing certificate trust list

To modify an existing CTL:

1. Log on to your Windows 2000-based computer as administrator.
   
   
2. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
3. In the Internet Information Services window, click the plus sign (+) next to * server name to expand the group.
4. Right-click the Web site for the CTL that you want to modify (for example, Default Web Site), and then click Properties.
5. Click the Directory Security tab, and then click Edit under Secure communications.
6. In the Current CTL box, click the CTL that you want to modify, and then click Edit. The Certificate Trust List Wizard starts.
7. Click Next.
8. Do any of the following:
   • To add a certificate to the CTL, click Add from Store or Add from File, then click (or locate) the certificate that you want to add, and then click OK (or Open).
   • To remove a certificate from the CTL, click the certificate that you want to remove in the Current CTL certificates box, and then click Remove.
   • To view a certificate, click the certificate that you want to view in the Current CTL certificates box, and then click View Certificate.
9. Click Next. Make the changes that you want (if any) to the name and description of the CTL, and then click Next.
10. Click Finish, and then click OK on the The Certificate Trust List wizard succeeded message that appears.
11. Click OK twice and then quit Internet Services Manager, or close the IIS snap-in.

Troubleshooting

When you attempt to create a CTL, the Edit button under Secure communications in the Directory Security tab of the Web site's Properties may be unavailable. This behavior can occur if a server certificate is not installed on the Web server. You cannot use the secure communications features of IIS until a valid server certificate is installed. To resolve this behavior, obtain and install a server certificate.

For more information about how to obtain and install a server certificate, see the "Certificates" section in the IIS 5.0 online documentation. To view the documentation, start Microsoft Internet Explorer, type http://localhost/iisHelp/">http://localhost/iisHelp/ in the Address bar, and then press ENTER. For more information about troubleshooting Certificate Trust List issues in IIS 5.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:

For more information about working with certificates and how to configure Secure Sockets Layer (SSL) in IIS 5.0, click the following article numbers to view the articles in the Microsoft Knowledge Base: