Sometimes, we need to disable TLS/SSL client certificate revocation checks, e.g. in case we are in a closed environment with no network access to the public CRL address.
First, to see the current status of the SSL configuration - use the
netsh tool by writing:
netsh http show sslcert
Specifically take a look at this entry:
Verify Client Certificate Revocation : EnabledTo disable it simply open regedit and go to:
HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfoAnd set
DefaultSslCertCheckModeto one of the following values:
- 0 - Enable revocation check.
- 1 - Do not check for revocation.
- 2 - Use only cached certificate revocation.
- 3 - DefaultRevocationFreshnessTime is to be considered.
- 4 - 0x10000 - No usage check is to be performed.