Using SSL without an Internet connection


If you have a web application that uses SSL and this application, for some reason, is hosted on an IIS that doesn’t have Internet access you will eventually find that any call to the server over SSL will take a lot of time to reply. It doesn’t matter if it’s ASP.NET, classic ASP or even CSS. As long as the request is made via SSL the response-time will skyrocket.

This isn’t a very common situation, since normally the IIS is connected to the Internet. HoweverI’ve come across this “in the field” where clients were routed internally to the IIS through a proxy, so it does happen.


This is a variation of the problem described in this article. The IIS will want to go on-line and verify that the certificate has not been revoked. In order to do this is requires a working Internet connection. Otherwise it will wait until the request times out and then service the request. When the next SSL-request comes along it will attempt to go on-line again, time out, and so on.

If you’ve had your server connected to the Internet during testing, then you will most likely not come across this problem straight away, since the response from the lookup in the certificate revocation list (CRL) will be cached. This makes it harder to pinpoint the root cause, unless you know where to look.


The easiest way to resolve this is to skip CRL checking. This is done by setting the metabase property CertCheckMode to 1.

Create a blank .txt file on the server and paste the following code into it:

Set oWeb = GetObject("IIS://localhost/W3SVC")
oWeb.CertCheckMode = 1
Set oWeb = Nothing

Running this script will change the property so that revocation checking is no longer done. If you want to switch back to the default value, then you should set CertCheckMode to 0 instead.

/ Johan

Comments (2)

  1. I knew I had seen a similar article before

  2. Nitnot says:

    what kind of internet connection does it need? http or https? and what is the impact if the certcheckmode is  being disabled (if the server can't check the revocation CRL)?