Article ID: 313071 - View products that this article applies to.
This step-by-step article describes how to create and configure Certificate Trust Lists (CTLs) by using the Certificate Trust List Wizard in Internet Information Services (IIS) version 5.0.
A CTL is a list of trusted certification authorities (CAs) for a particular Web site. You can use CTLs to configure your Web server to accept certificates from a specific list of CAs, and automatically verify client certificates against this list. Only users with a client authentication certificate that is issued by a CA in the CTL can gain access to the server.
Each Web site on your server can be configured to accept certificates from a different CTL. You may want to do this if you need a different list of trusted CAs for each Web site.
For example, an intranet administrator can create a CTL that is specific to each department's Web site on the company network. Only certificates that are from CAs on a particular department's CTL are accepted by IIS. When members of a particular department log on with a client certificate from a CA on that department's CTL, they are automatically authenticated.
Use the Certificate Trust List Wizard in IIS to create new CTLs and modify existing CTLs.
Create a new certificate trust listTo create a new CTL:
Modify an existing certificate trust listTo modify an existing CTL:
TroubleshootingWhen you attempt to create a CTL, the Edit button under Secure communications in the Directory Security tab of the Web site's Properties may be unavailable. This behavior can occur if a server certificate is not installed on the Web server. You cannot use the secure communications features of IIS until a valid server certificate is installed. To resolve this behavior, obtain and install a server certificate.
For more information about how to obtain and install a server certificate, see the "Certificates" section in the IIS 5.0 online documentation. To view the documentation, start Microsoft Internet Explorer, type http://localhost/iisHelp/">http://localhost/iisHelp/ in the Address bar, and then press ENTER. For more information about troubleshooting Certificate Trust List issues in IIS 5.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/285069/ )How do I fix the blank certificate list displayed when I browse to an IIS 5.0 Web site?
(http://support.microsoft.com/kb/279635/ )The Client Trust List (CTL) on the destination node does not work after metabase replication
For more information about working with certificates and how to configure Secure Sockets Layer (SSL) in IIS 5.0, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/298805/ )How to enable SSL for all customers who interact with your Web site in Internet Information Services
(http://support.microsoft.com/kb/290625/ )How to configure SSL in a Windows 2000 Internet Information Services 5 test environment by using Certificate Server 2.0
(http://support.microsoft.com/kb/231881/ )How to install/uninstall a Public Key Certificate Authority for Windows 2000
(http://support.microsoft.com/kb/248107/ )Creating server certificates using Certificate Services Web forms
(http://support.microsoft.com/kb/228984/ )Using Certificate Server 2.0 to generate a server certificate for use with IIS 5.0
Article ID: 313071 - Last Review: May 27, 2014 - Revision: 4.0
Retired KB Content Disclaimer
This article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated.
Contact us for more help