Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
IIS returns HTTP "403.13 Client Certificate Revoked" error message although certificate is not revoked
Article ID: 294305 - View products that this article applies to.
This article was previously published under Q294305
When you browse to a Web site that is set to require client certificates, you may receive the following HTTP error message even if you are sure that the client certificate has not been revoked:
403.13 Client Certificate Revoked
By default, Internet Information Services (IIS) checks to see if the client certificate that is being presented has been revoked. It does this by downloading the client certificate's Certificate Revocation List (CRL) from a Certificate Distribution Point (CDP) that is listed as part of the client certificate. If IIS is unable to download at least one of the CRLs of the client certificate, the HTTP error message is displayed in the client's browser.
For each certificate in the chain that has a CDP listed, ensure that IIS is able to download at least one CRL. This usually involves adjusting firewall, proxy, or Domain Name Server (DNS) settings to admit the necessary traffic; depending on the protocol, this can be Hypertext Transfer Protocol (HTTP) or remote procedure call (RPC). Note that the Web server must be able to resolve the CRL even if the client browser can resolve the CRL because the Web server is servicing the HTTP request that requires the client certificate.
To avoid the HTTP 403.13 error message, do one of the following:
To view a certificate's CDP, follow these steps:
Sample CRL Distribution Points:
CRL Distribution Point Distribution Point Name: Full Name: URL=http://server.domain.com/CertEnroll/server%20Root%20CA.crl<BR/><BR/> CRL Distribution Point Distribution Point Name: Full Name: URL=file://\\server2.domain.com\CertEnroll\server2%20Root%20CA.crl
REFERENCESFor more information on Wfetch.exe, click the following article number to view the article in the Microsoft Knowledge Base:
284285The CertCheckMode IIS metabase property enables or disables Certificate Revocation List (CRL) checking. When CertCheckMode is set to a value greater than 0, the CRL does not search for certificates that have been revoked. When CertCheckMode is equal to 0, the CRL searches for certificates that have been revoked. For more information, see the "CertCheckMode" topic in the IIS online help.
(http://support.microsoft.com/kb/284285/ )How to Use Wfetch.exe to Troubleshoot HTTP Connections