Certificate Trust List
am 20.02.2007 20:41:28 von Steve CookI posted this in the IIS general discussion group but got no responses. I've
now seen this issue on three IIS systems and figure it might be worth
posting to the security group.
In W2K3 SP1 running IIS6 the list of trusted root certificate authorities
has grown too long...
EventID 36885 is registered when a user presents a client certificate.
Steps to reproduce:
1. Buid a new stand-alone W2K3 SP1 server running IIS6.
2. Configure a web site to require client certificates.
3. Add a certificate authority to the list of trusted root certificate
authorities in the machine store.
4. Add the CA from step 3 as the only CA in new certificate trust list for
the web site from step 2.
5. Patch the server from Windows Update including refreshing trusted root
certificates.
6. Install a client certificate issued by the CA from step 4 to IE6.
7. Attempt to connect to the web site from step 2.
Expected Results:
Client can connect.
Actual Results:
The client is unable to connect. No trusted client certificates can be
located. On the server the following event is recorded in the System Log:
Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36885
Date: 2/1/2007
Time: 11:21:01 AM
User: N/A
Computer: xxxxxxxxxxxx
Description:
When asking for client authentication, this server sends a list of trusted
certificate authorities to the client. The client uses this list to choose a
client certificate that is trusted by the server. Currently, this server
trusts so many certificate authorities that the list has grown too long.
This list has thus been truncated. The administrator of this machine should
review the certificate authorities trusted for client authentication and
remove those that do not really need to be trusted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Steps taken to correct the failure:
No additional help is found if you follow the link. I culled the list of
trusted root certificate authorities in the machine store and this seems to
have corrected the problem.
Concerns:
1. My CTL included only the single CA that I added to the trusted root
store. From the CTL it seems that only one trusted root server should have
been presented to the browser for certificate selection. Regardless of the
number of CAs in the store, the one in the CTL should be the only relevant
CA to return. Once a CTL is implemented only client certificates traceable
to CAs in the CTL should be valid or accepted.
2. Adding a single CA to the machine's trusted root store caused the list
to grow too long and resulted in connection failures. Will the culled CAs
be returned to the list when the next root certificate update is performed
using Windows Update?
3. Is the number of CAs in the root certificate update through Windows
Update now essentially so large that soon a base patched build will fail to
function correctly out of the box?