If you have a Web site on Internet Information Services (IIS) 5.0 that requires client certificates, when you upgrade the server to Microsoft Windows Server 2003 with IIS 6.0, clients that connect to the site may receive one of the following error messages even if the client certificates are not controlled by a certificate trust list (CTL):
HTTP 403.16 Forbidden: Client certificate untrusted or invalid.
HTTP 403.16 Forbidden: Client certificate is ill-formed or is not trusted by the web server.
HTTP Error 403.7: Forbidden: SSL client certificate is required.
When the client accesses the Web site, the client may not receive the Client Authentication
dialog box in the browser (the Client Authentication
dialog box permits you to select the client certificate that you want to use to access the site). If the client receives the Client Authentication
dialog box, the certificate list in the Client Authentication
dialog box may not list the client certificate.
This may occur if the client certificate was created by a certification authority that the IIS computer does not trust.
In IIS 5.0, you can specify a CTL that contains certification authorities whose root certification authority certificates are installed in the personal certificate store of the local computer. However, in IIS 6.0, the root certification authority certificates must be installed in the local computer Trusted Root Certification Authorities certificate store. With this change, IIS 6.0 verifies certificates based on the rules that are specified in the crypto API. The crypto API rejects certificates if the root certification authority certificates are not installed in the local computer Trusted Root Certification Authorities certificate store.
To resolve the error and display the certificate in the browser, you must install the root certification authority certificate in the local computer Trusted Root Certification Authorities certificate store.
- Add a certificate snap-in for the local computer:
- Click Start, click Run, type mmc, and then click OK.
- On the File menu, click Add/Remove Snap-in, and then click Add.
- Under Snap-in, double-click Certificates, select Computer account, and then click Next.
- Select Local computer, click Finish, and then click Close.
- Click OK to exit the wizard.
- Export the certificate from the local computer Personal Certificate store:
- In the snap-in for the local computer, double-click Certificates (local computer), double-click Personal, and then double-click Certificates.
- Right-click the root certification authority certificate for the certification authority that issues the client certificates, click All Tasks, and then click Export to open the Certificate Export wizard.
- Click Next, select a format for the export, specify the directory where you want to store the exported certificate, click Next, and then click Finish.
Note The DER Encoded Binary X.509 format and the Base64 Encoded X.509 format are used for interoperability if the certification authority is not a Microsoft Windows 2000-based server.
If you do not know the certification authority type, use one of these formats.
- Import the certificate to the local computer Trusted Root Certification Authorities certificate store:
- In the snap-in for the local computer, double-click Trusted Root Certification Authorities, double-click Certificates, right-click All Tasks, and then click Import to start the Certificate Import wizard.
- Click Next, specify the exported certificate that you created in step 2, and then click Open.
- Click Next. Verify that Place all certificates in the following store is selected and that Certificate Store lists Trusted Root Certification Authorities.
- Click Next, and then click Finish.
This error message may also indicate that the administrator has previously configured a specific trust list by checking the Enable certificate trust list
check box and by populating the dialog box with one or more root certificates. If the Enable certificate trust list
check box is selected, verify that the expected server certificate appears in the list. This includes all renewed certificates. To do this, follow these steps:
- Open the Internet Information Services management console, right-click the Web site that is experiencing the error, and then click Property.
- Click the Directory Security tab.
- Under Secure communications, click Edit.
- If the Enable certificate trust list check box is selected and the Current CTL field is populated, you can do the following tasks:
- Click to clear the Enable certificate trust list check box. This will enable IIS to use all certificates in the server certificate store.
- Click Edit, and follow the prompts in the Certificate Trust List Wizard to add the appropriate server certificate.
Note Edit is only available when the CTL is populated with one or more certificates from the server certificate store.
- Click OK when you are prompted.
- Test a page that requires a client certificate.
More information about CTLs is available in the product documentation. To view this documentation, visit the following Microsoft Web site:
You can also access the product documentation through IIS Manager.
For more information about how to access this Help feature, click the following article number to view the article in the Microsoft Knowledge Base:
How to access IIS 6.0 Help documentation