Modify UAG 2010 CTL? RRS feed

  • General discussion

  • What is the proper way to modify the UAG Certificate Trust List to use additional root CA certificates for client certificate authentication? In ISA, the CTL could be modified in the Listener configuration. Is this done in the UAG. TMG or in IIS7? 
    Tuesday, February 16, 2010 3:07 PM

All replies

  • OK, I have successfully tested disabling Certificate Trust List checking for an IAG trunk for testing purposes. Here is how I did it:

    The CTL lookup is being handled by the IIS7 trunk site. I have confirmed that making this IIS7 change does not get overwritten when you push a UAG Activation to implement a change. So the change made will only get lost if the trunk is removed and recreated in UAG.

    1. Open a command window using elevated admin permissions.

    2. perform this command to enumerate all existing ssl sites:
        Command: netsh http show sslcert

    3. Save the information related to your trunk IP for future use.
        IP:port                 :
        Certificate Hash        : 4c4e128c8f2d514f526319fe03bf0d7279d70898
        Application ID          : {4dc3e181-e14b-4a21-b022-59fc669b0914}
        Certificate Store Name  : MY
        Verify Client Certificate Revocation    : Enabled
        Verify Revocation Using Cached Client Certificate Only    : Disabled
        Usage Check    : Enabled
        Revocation Freshness Time : 0
        URL Retrieval Timeout   : 0
        Ctl Identifier          : (null)
        Ctl Store Name          : (null)
        DS Mapper Usage    : Disabled
        Negotiate Client Certificate    : Disabled

    4. Delete the certificate binding on the trunk site. I found that you cannot make a change to the Verify Client Certificate Revocation parameter. You must remove the cert and re-bind it with the paramter change you want.
       Command: netsh http remove sslcert ipport=

    5. Re-bind the SSL Certificate to the trunk site and add in the CTL parameter to disable it. Add in the certhash and appid values captured in step 2.
       Command: netsh http add sslcert ipport= certhash=4c4e128c8f2d514f526319fe03bf0d7279d70898 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} verifyclientcertrevocation=disable

    6. repeat step 3 to enumerate the SSL sites and validate that the "Verify Client Certificate Revocation" shows disabled.

    7. perform an IISReset. I also tested a UAG activation and rebooted the UAG server. The CTL reconfiguration stayed put.

    If anyone has a better way, please post it. This worked for me.


    Friday, February 19, 2010 4:40 PM