How to configure certificate trust lists in Internet Information Services 5.0

Article translations Article translations
Article ID: 313071 - View products that this article applies to.
Expand all | Collapse all

On This Page

Summary

This step-by-step article describes how to create and configure Certificate Trust Lists (CTLs) by using the Certificate Trust List Wizard in Internet Information Services (IIS) version 5.0.

A CTL is a list of trusted certification authorities (CAs) for a particular Web site. You can use CTLs to configure your Web server to accept certificates from a specific list of CAs, and automatically verify client certificates against this list. Only users with a client authentication certificate that is issued by a CA in the CTL can gain access to the server.

Each Web site on your server can be configured to accept certificates from a different CTL. You may want to do this if you need a different list of trusted CAs for each Web site.

For example, an intranet administrator can create a CTL that is specific to each department's Web site on the company network. Only certificates that are from CAs on a particular department's CTL are accepted by IIS. When members of a particular department log on with a client certificate from a CA on that department's CTL, they are automatically authenticated.

Use the Certificate Trust List Wizard in IIS to create new CTLs and modify existing CTLs.

Notes
  • By default, the most commonly used CA root certificates are already installed by IIS.
  • You can create and manage CTLs at the Web site level only. CTLs do not apply to virtual directories or files.
  • CTLs are not available on FTP sites.
  • The certificate that is added to the CTL needs to be from a Root CA. Trusted certificates from an Intermediate CA will fail. This is for security reasons and is by design.

Create a new certificate trust list

To create a new CTL:
  1. Log on to your Windows 2000-based computer as administrator.
  2. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
  3. In the Internet Information Services window, click the plus sign (+) next to * server name to expand the group.
  4. Right-click the Web site for which you want to create a CTL (for example, Default Web Site), and then click Properties.
  5. Click the Directory Security tab, and then click Edit under Secure communications.
  6. Click to select the Enable certificate trust list check box, and then click New. The Certificate Trust List Wizard starts.
  7. Click Next.
  8. To add a certificate to the CTL, click Add from Store or Add from File, click (or locate) the certificate that you want to add, and then click OK (or Open). The certificate is added to the Current CTL certificates list.
  9. Repeat step 8 to add the certificates that you want to the CTL, and then click Next.
  10. Type a name and description for the CTL in the appropriate boxes, and then click Next.
  11. Click Finish, and then click OK on the The Certificate Trust List wizard succeeded message that appears. The CTL that you created is displayed in the Current CTL box.
  12. Click OK twice and then quit Internet Services Manager, or close the IIS snap-in.

Modify an existing certificate trust list

To modify an existing CTL:
  1. Log on to your Windows 2000-based computer as administrator.

  2. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
  3. In the Internet Information Services window, click the plus sign (+) next to * server name to expand the group.
  4. Right-click the Web site for the CTL that you want to modify (for example, Default Web Site), and then click Properties.
  5. Click the Directory Security tab, and then click Edit under Secure communications.
  6. In the Current CTL box, click the CTL that you want to modify, and then click Edit. The Certificate Trust List Wizard starts.
  7. Click Next.
  8. Do any of the following:
    • To add a certificate to the CTL, click Add from Store or Add from File, then click (or locate) the certificate that you want to add, and then click OK (or Open).
    • To remove a certificate from the CTL, click the certificate that you want to remove in the Current CTL certificates box, and then click Remove.
    • To view a certificate, click the certificate that you want to view in the Current CTL certificates box, and then click View Certificate.
  9. Click Next. Make the changes that you want (if any) to the name and description of the CTL, and then click Next.
  10. Click Finish, and then click OK on the The Certificate Trust List wizard succeeded message that appears.
  11. Click OK twice and then quit Internet Services Manager, or close the IIS snap-in.

Troubleshooting

When you attempt to create a CTL, the Edit button under Secure communications in the Directory Security tab of the Web site's Properties may be unavailable. This behavior can occur if a server certificate is not installed on the Web server. You cannot use the secure communications features of IIS until a valid server certificate is installed. To resolve this behavior, obtain and install a server certificate.

For more information about how to obtain and install a server certificate, see the "Certificates" section in the IIS 5.0 online documentation. To view the documentation, start Microsoft Internet Explorer, type http://localhost/iisHelp/">http://localhost/iisHelp/ in the Address bar, and then press ENTER. For more information about troubleshooting Certificate Trust List issues in IIS 5.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:
285069 How do I fix the blank certificate list displayed when I browse to an IIS 5.0 Web site?
279635 The Client Trust List (CTL) on the destination node does not work after metabase replication

References

For more information about working with certificates and how to configure Secure Sockets Layer (SSL) in IIS 5.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:
298805 How to enable SSL for all customers who interact with your Web site in Internet Information Services
290625 How to configure SSL in a Windows 2000 Internet Information Services 5 test environment by using Certificate Server 2.0
231881 How to install/uninstall a Public Key Certificate Authority for Windows 2000
248107 Creating server certificates using Certificate Services Web forms
228984 Using Certificate Server 2.0 to generate a server certificate for use with IIS 5.0

Properties

Article ID: 313071 - Last Review: May 27, 2014 - Revision: 4.0
Applies to
  • Microsoft Internet Information Services 5.0
Keywords: 
kbhowtomaster kbnetwork KB313071
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com