A certificate trust list (CTL) is a defined list of trusted root certification authorities. When used with Group Policy and a PKI deployment, a CTL allows you to supplement the existing trusted root certification authorities that are configured on your network, such as those automatically installed with Microsoft Windows or added through Windows enterprise root certification authorities. However, when a CTL is configured in Internet Information Services (IIS), a CTL defines a subset of those trusted root certification authorities.

This subset provides administrators with more control over security because the CTL restricts the client certificates that are accepted to only those that are issued from the list of certification authorities in the CTL. For example, Windows ships with a number of well-known third-party certification authority certificates, such as VeriSign and Thawte. By default, the computer running IIS trusts certificates that chain to these well-known certification authorities. Without configuring IIS with a CTL, any computer that has a client certificate issued from these certification authorities are accepted as a valid Configuration Manager client. If you configure IIS with a CTL that did not include these certification authorities, client connections are refused if the certificate chained to these certification authorities. However, for Configuration Manager clients to be accepted in the native mode site, you must configure IIS with a CTL that specifies the certification authorities used by Configuration Manager clients.

A CTL in IIS is defined as a Web site property, so you must configure the CTL for each site server in a Configuration Manager 2007 native mode site that is configured for Secure Sockets Layer (SSL) communication; it cannot be configured and maintained with Group Policy. The site system roles that use SSL communication are the following:

To use a CTL with Configuration Manager 2007 in native mode, edit the properties of the Web site (the Default Web site, or the custom web site named SMSWeb) after you have configured the Web site with its native mode certificate. Use the Certificate Trust List Wizard to create or edit the CTL, and then specify the root certification authorities used by clients in the native mode site. For more information about creating and editing CTLs in IIS 6.0, see the IIS 6.0 documentation on CTLs (http://go.microsoft.com/fwlink/?LinkId=80247).

It is recommended, but not required, that you use a CTL in IIS for Configuration Manager 2007 native mode because this provides a higher level of security than if you do not explicitly define which certification authorities are used by Configuration Manager clients.

Using a CTL with IIS and Configuration Manager 2007 native mode provides the following advantage:

Using a CTL with IIS and Configuration Manager 2007 native mode has the following disadvantages:

See Also