Microsoft KB Archive/216485

= HOW TO: Limit the Number of Trusted Certification Authorities in IIS =

Article ID: 216485

Article Last Modified on 6/23/2005

-

APPLIES TO


 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q216485



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

IN THIS TASK
SUMMARY
 * To Make Trusted Certification Authorities Unavailable by Modifying the Registry



SUMMARY
This step-by-step article describes how to make unavailable some of the trusted certification authorities (CAs) that are included with Microsoft Internet Information Server (IIS) 4.0 You may want to make some of these trusted CAs unavailable to make sure that only certain CAs are used.

back to the top

To Make Trusted Certification Authorities Unavailable by Modifying the Registry
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

All trusted CA certificates are handled by Schannel.dll, which stores its data in the registry. In the registry, you see a series of registry keys under the CertificationAuthorities key. There is one key for each preinstalled CA. Each CA key contains an Enabled entry. This entry is set to 0x1 if the CA is trusted, or is set to 0x0 if the CA is not trusted.

NOTE: Do not delete these registry entries. If you do, Schannel automatically re-creates them.  Start Registry Editor (Regedt32.exe). Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CertificationAuthorities

 You see a list of all of the trusted CAs. Click the CA that you do not want to trust. Click the Enabled subkey, and then set its value to 0 (zero). Repeat these steps to make unavailable all of the CA certificates that you do not want to trust. Restart the computer.</li></ol>

back to the top

Additional query words: disable

Keywords: kbhowto kbhowtomaster KB216485

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.