Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
IIS 6.0: Computer must trust all certification authorities trusted by individual sites
Article ID: 332077 - View products that this article applies to.
This article was previously published under Q332077
If you have a Web site on Internet Information Services (IIS) 5.0 that requires client certificates, when you upgrade the server to Microsoft Windows Server 2003 with IIS 6.0, clients that connect to the site may receive one of the following error messages even if the client certificates are not controlled by a certificate trust list (CTL):
HTTP 403.16 Forbidden: Client certificate untrusted or invalid.
HTTP 403.16 Forbidden: Client certificate is ill-formed or is not trusted by the web server.
When the client accesses the Web site, the client may not receive the Client Authentication dialog box in the browser (the Client Authentication dialog box permits you to select the client certificate that you want to use to access the site). If the client receives the Client Authentication dialog box, the certificate list in the Client Authentication dialog box may not list the client certificate.
HTTP Error 403.7: Forbidden: SSL client certificate is required.
This may occur if the client certificate was created by a certification authority that the IIS computer does not trust.
In IIS 5.0, you can specify a CTL that contains certification authorities whose root certification authority certificates are installed in the personal certificate store of the local computer. However, in IIS 6.0, the root certification authority certificates must be installed in the local computer Trusted Root Certification Authorities certificate store. With this change, IIS 6.0 verifies certificates based on the rules that are specified in the crypto API. The crypto API rejects certificates if the root certification authority certificates are not installed in the local computer Trusted Root Certification Authorities certificate store.
To resolve the error and display the certificate in the browser, you must install the root certification authority certificate in the local computer Trusted Root Certification Authorities certificate store.
More information about CTLs is available in the product documentation. To view this documentation, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/windowsserver/default.aspxYou can also access the product documentation through IIS Manager. For more information about how to access this Help feature, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/815127/ )How to access IIS 6.0 Help documentation