How to create a Certificate Trust List (CTL) with MakeCTL.exe
and use Netsh to edit the SSL bindings to use the CTL
by Chris Haun. Last revision: Sept. 29th, 2011.
The following steps assume the following:
· These steps should work for Windows 2008 (IIS 7.0) at any patch level. However, they will only work for Windows 2008 R2 (IIS 7.5) if it has Service Pack 1 or at least fix http://support.microsoft.com/kb/981506 ("SSL Certificate add failed, Error: 1312" error message when you try to add a CTL in Windows Server 2008 R2 or in Windows 7).
· The website in focus has already has a SSL Certificate bound to it
· The following steps also assume that the CA certificate from the CA has already been added to the Trusted Root Certification Authorities store of the local computer on the web server
· MakeCTL.exe has been copied to the web server. IIS 6.0 had a built-in wizard that made it easy to make a CTL. Although IIS 7 and 7.5 may possibly have a Make-CTL feature in the future, as of February 2010 they do not. So where to get it these days? Ideally you should get it from an installation of Visual Studio or the 2003 SDK. That’s the preferred way. But since I know some of you who need MakeCTL.exe have somewhat painful download speeds, I’ve made MakeCTL.exe available for download by its self from here.
Right-click on MakeCtl.exe from the Windows 2008 web server’s desktop and run it as an administrator
Click Next on the “Welcome to the Certificate Trust List Wizard”
In Certificate Trust List Purpose screen, provide a Prefix for this CTL. This will also later serve as the friendly name of the CTL. I’d recommend making this prefix simple and short. You might save yourself from a headache by not getting fancy with captilization or special characters. In my example here I’m just using TestingCTLs.
When designating purposes, you don’t need to place checkmarks by any of the options available by default. Instead select the “Add Purpose” button.
In the User Defined Purpose box, add the following in the Object ID field and click OK: 1.3.6.1.4.1.311.10.1
Make sure there are no spaces before or after the numbers in the oID.
After confirming that 1.3.6.1.4.1.311.10.1 has been added to the list of purposes and has a checkmark beside it, click Next.
Note: The object ID 1.3.6.1.4.1.311.10.1 is for “Certificate Trust List” (szOID_CTL), according to kb 287547. (Or, as it shows up in the certificates snap-in later, “Certifcate Trust List.”). However, it is interesting that the CTL wizard that was built into IIS 6.0 created its CTLs with two other designated two purposes (“Client Authentication” and “1.3.6.1.4.1.311.30.1” [szOID_IIS_VIRTUAL_SERVER]) and did not designate 1.3.6.1.4.1.311.10.1 at all. I suppose it might be fine to add all three purposes if you like. But if you’re struggling with the 1312 error later (described below) perhaps just try the 1.3.6.1.4.1.311.10.1 purpose alone.
Select the “Add from Store” button on the Certificates in the CTL window.
In the Select Certificate window, select the certificate of the Trusted Root CA that the CTL needs to focus on.
In the Certificate Trust List Storage window, select certificate store and click the Browse button.
Add a checkmark beside “Show physical stores” . . .
Scroll up and drill down into the Intermediate Certification Authorities store and then into the Local Computer folder.
In the Name and Description window, the prefix name you selected earlier will be prepopulated as the Friendly Name.
Remember exactly what you have here because you’ll be typing it out in a case sensitive command window in one of the later steps.
Click Next on the Name and Description window.
Review your information one last time and click Finish.
After running MakeCTL.exe successfully in this way on the server, a new folder named “Certificate Trust List” should appear in the local certificates store. If you ran MakeCTL.exe but do not see this folder and your CTL inside of it, you may have forgotten to run MakeCTL.exe without elevated privileges.
Note how the intended purposes show up as “Certificate Trust List”
Launch an elevated command prompt.
Instead of using adsutil.vbs to alter the SSL bindings to include the CTL, we’re going to use Netsh instead.
First command:
netsh http show sslcert
This will show what your current SSL bindings are. You should be able to recognize which IP and Port combination you need to focus on. In this example, the site I want to use the CTL is represented as follows:
IP:port : 0.0.0.0:4444
Certificate Hash : 15e3063e10e3d50127d323d8b6827ddd7ae33936
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Note especially how Ctl Identifier and Ctl Store Name are both null. That’s what we want to change to begin using the CTL.
But to change it we have to delete this binding and add it again.
Second command:
netsh http delete sslcert ipport=0.0.0.0:4444
We expect the confirmation message of “SSL Certificate successfully deleted” at this point. If you got a response of “SSL Certificate deletion failed, Error: 5 The requested operation requires elevation” then you forgot to open an elevated command prompt.
Third command:
netsh http add sslcert ipport=0.0.0.0:4444 certhash=15e3063e10e3d50127d323d8b6827ddd7ae33936 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlidentifier=TestCTLs sslctlstorename=CA
Of course your ipport, certhash, appid, and sslctlidentifier will use values different than those in my examle here. Use what you saw in the results of the “netshow http show sslcert” command to figure out what your ipport, certhash, and appid are. Your sslctlidentifier value is going to be whatever the friendly name is on your CTL. Remember, that the friendly name must be spelled perfectly and with case sensitivity. Sslctlstorename simply needs to be CA.
If this command is successful, we expect the confirmation message to report, “SSL Certificate successfully added.”
If you receive the error “SSL Certificate add failed, Error: 5 The requested operation requires elevation” then you forgot to run the command from an elevated command prompt.
If you receive the error “SSL Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated” the crypto API is complaining that it cannot find the CTL that you told it to add to the ssl binding. Please check your spelling on everything and make sure you are typing the friendly name of your CTL correctly and have been sensitive to case for all letters. Are you absolutely sure the CTL is in the right store? Did you construct the CTL with the right intended purpose?
When its good, it should look something like this:
netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:4444
Certificate Hash : 15e3063e10e3d50127d323d8b6827ddd7ae33936
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : TestingCTLs
Ctl Store Name : CA
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Additional References:
http://msdn.microsoft.com/en-us/library/aa388175(VS.85).aspx
Using the MakeCTL Wizard
There Is No Wizard for Manipulating Certificate Trust Lists
Additional keywords:
adsutil.vbs set
w3svc/1/SslCtlIdentifier <Name of CTL>
adsutil.vbs
set w3svc/1/SslCtlStoreName CA
313071 How to configure certificate trust lists in Internet Information
Services 5.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;313071
981506 "SSL Certificate add failed, Error: 1312" error message
when you try to add a CTL in Windows Server 2008 R2 or in Windows 7
http://support.microsoft.com/default.aspx?scid=kb;EN-US;981506