HTTP 403.13 Forbidden: Client certificate revoked The error you may see in the browser will be as shown below: Trusted root certificates that are required by Windows Server 2003, by Windows XP,ĩ31125 Microsoft root certificate program members (January 2007) The administrator of this machine should review the certificateĪuthorities trusted for client authentication and remove those that do not really Currently, this server trusts so manyĬertificate authorities that the list has grown too long. The client uses this list to choose a clientĬertificate that is trusted by the server. When asking for client authentication, this server sends a list of trustedĬertificate authorities to the client. The problem can also be identified when the following entry is logged on the Web server. To resolve this we need to delete some of the expired and unused/unknown trusted root certificates from the Trusted Root Certification Authorities list until it is working again. The limit is based on data size not CA count so there is no way to say this happens at a certain count of trusted CA’s. This creates a list that is too large based on the size limit we enforce, the result being truncation of the list when this is sent to the client during the client certificate handshake. You may also see 403.7 due to an update to the trusted Root CA list.Make sure it is intended for user authentication.Ĭheck the certificate for "Ensures the identity of a remote computer" and Enhanced Key usage says Client Authentication.Īlso Using >Certutil -verify -urlfetch should show: Also make sure that the certificate is a valid client certificate. If it is disabled then root CA store will be used for the above. If CTL is present, this is the list which is actually used to check for CA's which can issue client certificate to a user. You may want to do this if you need a different list of trusted CAs for each Web site. Only users with a client certificate that is issued by a CA in the CTL can gain access to the server.Įach Web site on your server can be configured to accept certificates from a different CTL. You can use CTLs to configure your Web server to accept certificates from a specific list of CAs, and automatically verify client certificates against this list. The reason being that if your certificate's CA is not in the CTL although present in the trusted root CA store in the server machine, you may still see the error.Ī CTL is a list of trusted certification authorities (CAs) that can be used for client authentication for a particular Web site. Confirm whether the trusted root CA is part of CTL.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |