Certificate Trust List on IIS 8.5RSS

15 replies

Last post Mar 06, 2019 02:52 PM by GrangerATS

  • Certificate Trust List on IIS 8.5

    Feb 19, 2016 03:53 PM|blake.duffey|LINK

    Can anyone provide a valid method for implementing a CTL on IIS 8.5 that doesn't require me to stand up a server that is EOL?

    Scouring the interwebs keeps pointing me to posts that reference a tool from the Windows 2003 SDK that only runs on Windows 2003 or 2008 (nonR2).  There must be an updated method.

    Thanks

  • Re: Certificate Trust List on IIS 8.5

    Feb 20, 2016 03:41 AM|Ken Schaefer|LINK

    https://technet.microsoft.com/en-us/library/dn786429.aspx

    Windows Server 2012 R2 uses specific certificate stores to generate the list of trusted issuers. See the section "Management of trusted issuers for client authentication" for details

  • Re: Certificate Trust List on IIS 8.5

    Feb 20, 2016 03:51 AM|lextm|LINK

    <deleted>

    Lex Li
    Affordable IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Certificate Trust List on IIS 8.5

    Feb 23, 2016 10:45 PM|blake.duffey|LINK

    Thanks much Ken - reading that now!

  • Re: Certificate Trust List on IIS 8.5

    Feb 24, 2016 03:30 PM|blake.duffey|LINK

    So that section seems to detail the differences between the old versions of Windows and 2012 and up.  

    I remain confused about how to implement.

    The article says If there is a specific credential store configured for the site, it will be used as the source.

    That's what I want (to setup a store per IIS site)

    I'm assuming I have to run

    netsh http add sslcert ipport=0.0.0.0:443 certhash=GUID hash value appid={GUID application identifier}  sslctlstorename=ClientAuthIssuer

     on my IIS server, as it says HTTP.sys is not configured by default to use the Client Authentication Issuers Store.  When I issue that command I get the helpful error 'The parameter is incorrect'.

    (although I wonder if I am reading that too literally)

    Any further insight is appreciated.

  • Re: Certificate Trust List on IIS 8.5

    Feb 24, 2016 04:47 PM|blake.duffey|LINK

    I've also used 

    netsh http show sslcert

    and replaced the 'values' for certhash and appid for the site in question.  I get the same error.  

    Assuming that error did NOT happen (and that command configured that site for the per-site cert store - how do I view that store?  How do I add certs to it?

    Thanks again
    Blake

  • Re: Certificate Trust List on IIS 8.5

    Feb 25, 2016 04:24 AM|Ken Schaefer|LINK

    blake.duffey

    Assuming that error did NOT happen (and that command configured that site for the per-site cert store - how do I view that store?  How do I add certs to it?

    Start -> Run -. MMC.exe

    Add/Remove Snapins

    Add Certificates snapin

    Choose Machine account

    You will then see a set of stores that IIS has access to. You import certificates here as well.

    I believe you can create new stores via this UI as well (haven't tested that though)

  • Re: Certificate Trust List on IIS 8.5

    Feb 25, 2016 03:19 PM|blake.duffey|LINK

    Thanks Ken - it didn't occur to me that Microsoft would use the standard certificate MMC for this...

    :)

    Launching the certificates snap-in on my IIS box I DO see 'Client Authentication Issuers' as a separate store.

    (which I'll be trying shortly)

    I don't see any way to create a site specific store (but I feel this is a significant step in the right direction)

    :)

    Thanks Ken

    If you have any ideas regarding creating a site-specific store, please let me know

    Blake

  • Re: Certificate Trust List on IIS 8.5

    Feb 25, 2016 08:41 PM|blake.duffey|LINK

    So I can certainly add certs to the Client Authentication Issuers store.  The problem now is, per https://technet.microsoft.com/en-au/library/dn786429.aspx

    HTTP.sys, which implements the Windows HTTP-server stack, is not configured by default to use the Client Authentication Issuers store.

    So I need to configure the site to use that store.  But using netsh http add sslcert only gives me 'the parameter is incorrect'.

    Hostname:port : sXXXXXXXX.org:443
    Certificate Hash : 2XXXXXXdcf16f3417000a523621087159683
    Application ID : {4dc3e181-e14b-4a21-b022-59fc66XXXX}
    Certificate Store Name : WebHosting
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout : 0
    Ctl Identifier : (null)
    Ctl Store Name : (null)
    DS Mapper Usage : Disabled
    Negotiate Client Certificate : Disabled

    PS C:\Users\blake> netsh http add sslcert ipport=sXXXXXXXXXXXXXXX:443 certhash=XXXXXXXXXXXXXXXXXf3417000a523621
    087159683 appid={4dc3e181-e14b-4a21-b022-59fc66XXXXX} sslctlstorename=ClientAuthIssuer
    The parameter is incorrect.

    Thanks again

    Blake

  • Re: Certificate Trust List on IIS 8.5

    Feb 26, 2016 12:47 AM|Ken Schaefer|LINK

    Put appid= before certhash=

    Also, I'm not sure that ipport= accepts a DNS name - you might need to use an IP Address:Port combination

  • Re: Certificate Trust List on IIS 8.5

    Feb 26, 2016 01:16 AM|blake.duffey|LINK

    I'll try that order

    I've seen examples that use DNS name - but I'm open to trying that to  :)

    EDIT:

    Swapping the order of appid and certhash didn't help

    Changing the value of ipport to 0.0.0.0:443 caused a different error

    SSL Certificate add failed, Error: 1312
    A specified logon session does not exist. It may already have been terminated.

  • Re: Certificate Trust List on IIS 8.5

    Feb 26, 2016 01:43 AM|Ken Schaefer|LINK

    Googling around, it seems the most common cause of that error is that the server authentication cert you are trying to bind to the IP address is not in the Personal Certificates store.

  • Re: Certificate Trust List on IIS 8.5

    Feb 26, 2016 01:54 AM|blake.duffey|LINK

    I've found similar.

    I'm sort of (more) confused now.  All I really want to do is set the value sslctlstorename=ClientAuthIssuer for an existing site.

    There is already a cert bound to this site.  (without a band cert, it doesn't even show up when I issue netsh http show sslcert).

    Does it want me to assign the cert, issue netsh http show sslcert to get the hash, unbind it, and then re-assign it via netsh?  

    (I've not really understood why I needed that at all)

  • Re: Certificate Trust List on IIS 8.5

    Mar 02, 2016 11:40 PM|blake.duffey|LINK

    I was able to sort of make it work by doing as I suggested - removing the cert entirely via netsh http delete sslcert and then adding things back in.  My main issue is that the cert, while assigned, isn't visible via the GUI (which means someone is going to break it when the cert expires and they go to update it in a few months).

    I'm going to come back and look at it again in a few days 

    Thanks again

  • Re: Certificate Trust List on IIS 8.5

    Apr 08, 2016 09:30 PM|blake.duffey|LINK

    blake.duffey

    PS C:\Users\blake> netsh http add sslcert ipport=sXXXXXXXXXXXXXXX:443 certhash=XXXXXXXXXXXXXXXXXf3417000a523621

    087159683 appid={4dc3e181-e14b-4a21-b022-59fc66XXXXX} sslctlstorename=ClientAuthIssuer
    The parameter is incorrect.

    This error (parameter is incorrect) was caused by entering the command into Powershell - you have to put single quotes <'> around the curly braces around the appid value.  Grrrr

  • Re: Certificate Trust List on IIS 8.5

    Mar 06, 2019 02:52 PM|GrangerATS|LINK

    blake.duffey

    I was able to sort of make it work by doing as I suggested - removing the cert entirely via netsh http delete sslcert and then adding things back in.  My main issue is that the cert, while assigned, isn't visible via the GUI (which means someone is going to break it when the cert expires and they go to update it in a few months).

    I'm going to come back and look at it again in a few days 

    Thanks again

    I know this is old, but I found how to do what you're talking about. Use netsh http update sslcert instead of "delete then create" like everyone seems to recommend on the 'Net (even the MS docs). You'll change the existing entry without messing up the IIS GUI.

    E.g. To change an existing IIS Site to use the "Client Authentication Issuers" store instead of the "Trusted Root Certification Authorities" store for when accepting TLS Client-certificates...

    1. Install your public cert into both the "Trusted Root Certification Authorities" and "Client Authentication Issuers" certificate stores for the Local Machine. (I think there's a Registry setting that makes it so you don't need to install it into the "Trusted Root..." store, but I haven't tried that.)
    2. View what's presently setup in HTTP.sys to find the binding that goes with the IIS Site you want to change by using netsh http show sslcert 
    3. Run this: netsh http update sslcert ipport={what's-listed-in-"IP:port"} appid={what's-listed-in-"Application ID"} certhash={what's-listed-in-"Certificate Hash"} sslctlstorename=ClientAuthIssuer
      1. E.g. (sort of): netsh http update sslcert ipport=0.0.0.0:443 appid={4dc3e181-e14b-4a21-b022-...} certhash=a95...c68 sslctlstorename=ClientAuthIssuer
      2. You can copy-paste the values from the "show sslcert" command, if you're running directly from a cmd prompt; you don't need to quote the values (even the formatted GUID).
    4. You do not need to reboot the machine or restart IIS or restart the IIS Site to have the changes take effect.