Trust a self signed cert from IIS - iis

I have an externally hosted iis webserver where i run my website. I would like to add a self signed certificate to this website and trust it on my local client, to remove "Insecure Connection" from the browser.
What i have done so far is the following
Created a self signed certificate in IIS: Server Certificates -> Create self signed Certificate. The cert is issued to the servername e.g "ABCD01"
Created a website with a https binding using the self signed certificate.
Exported the self signed certificate from IIS using: Server Certificates -> Export. This resulted in an .pfx file
Imported the .pfx cert file on the local client: manage computer certificates -> Trusted Root certification authorities -> import
Added the hostname (ABCD01) and ip of the host to the hosts file: C:\Windows\System32\drivers\etc\hosts
When i try to open the website in firefox (using https://ABCD01), i still get the "Your connection is not secure". What am i missing?

There are multiple issues:
IIS certificate generator creates self-signed certificates with SHA1 signature algorithm which is obsolete in modern browsers. You have to use different tools to create test certificates. For example, use PowerShell New-SelfSignedCertificate cmdlet where you can specify signature algorithm. Look at this post to get an example: https://stackoverflow.com/a/45284368/3997611
New-SelfSignedCertificate `
-DnsName "ABCD01" `
-CertStoreLocation "cert:\LocalMachine\My" `
-FriendlyName "test dev cert" `
-TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" `
-KeyUsage DigitalSignature,KeyEncipherment,DataEncipherment `
-Provider "Microsoft RSA SChannel Cryptographic Provider" `
-HashAlgorithm "SHA256"
IIS certificate generator cannot build certificate with SAN (Subject Alternative Names) certificate extension which is required in Google Chrome. You have to use different tools to create test certificates. Look at the example above for reference.
Google Chrome uses built-in Windows Certificate store to establish a trust, while FireFox uses its own certificate store. Therefore, after adding the certificate to Windows certificate store, you have to import your test certificate to FireFox manually.

Related

Setting a self signed certificate into list of windows certificates does not resolve SEC_E_UNTRUSTED_ROOT

I set http.sslbackend=schannel and imported my self-signed certificate into windows 10 (Personal | Certificates) pane in MMC. Now, I'm trying to clone a repository hosted on a server configured with the self-signed certificate.
As far as I understood as long as having the certificate in windows (explained above) git should not complain about the certificate. This is not the case. whenever I try to clone I'm getting:
unable to access https://server.com/project.git : schannel: SEC_E_UNTRUSTED_ROOT (0X80090325) - THE CERTIFICATE CHAIN WAS ISSUED BY AN AUTHORITY THAT IS NOT TRUSTED.
What am I missing here?

Valid CA certificates

I'm following this tutorial and app works, but certificates I created with my server key works
I understand that I need to pass ca option with certificates my server accepts, but I don't know how to specify what I need.
I would like to accept certificates from other CA, not only the ones signed with my server key.
[The peer's certificate must be chainable to a CA trusted by the server for the connection to be authenticated. When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate.][1]
const opts = {
key: fs.readFileSync('server_key.pem'),
cert: fs.readFileSync('server_cert.pem'),
requestCert: true,
rejectUnauthorized: false,
ca: [ fs.readFileSync('server_cert.pem') ],
}
How can I do this?
It depends on how you're validating, but at the very least you would need to have a .CER copy of the other CA certs installed in your machines certificate store in the trusted root certification authorities folder. After that it'd all fall down to validation. Some validation methods automatically query your machines cert store for the certificate. Or you can programmatic it to pull the CA from your certificate store and construct the chain yourself.
The .CER version of the certificate refers to the public copy that does not contain the private keys used for signing a certificate. This cert can validate other certificates that were issued by it, but it cannot sign a certificate.
If you're on a windows machine, you can access your certificate store through the Microsoft Management Console. Open a cmd prompt and type MMC.
Go to file > Add or Remove Snap In > Certificates and select Add. This will prompt you for the specific certificate store you want. If you click the drop down, you'll see additional folders. This will show all trusted certificate authorities in the given store. You will need to add copies of the other CA signing certs here.

Custom domains/SSL binding in Microsoft Azure server

I have installed SSL successful in my azure server but it's not binding with domain. I am getting following error message.
It is not clear on what certificate you are using. To use a certificate in App Service, the certificate must meet all the following requirements:
Signed by a trusted certificate authority
Exported as a password-protected PFX file
Contains private key at least 2048 bits long
Contains all intermediate certificates in the certificate chain
As highlighted by Snobu you may regenerate the certificate (for Self-Signed) with: extendedKeyUsage = critical,codeSigning,1.3.6.1.5.5.7.3.1 in the x509_extensions in the file. Refer this document for the step-step instructions on uploading a certificate.

HTTP error 403.16 - client certificate trust issue

I am trying to implement client certificate authentication on IIS 8. I have deployed my configuration on a development machine and verified it working as expected there. However after setting up on the server, whenever I navigate to the site and am prompted for the client cert, I select it and immediately get the 403.16 error. The failed requests log gives the error code 2148204809 and message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."
I have a valid client cert and also a valid CA cert. The CA cert is installed in Trusted Root Authorities on the computer account on both the server and the client machine, and the client cert is installed in the Personal area of the Current User account on the client machine.
The client cert is signed directly by the root CA and as I said, both are valid. There are no other certs in the chain and there are no intermediate certs in the Trusted Root Authorities area.
The IIS configuration has sslFlags = SslNegotiateCert and iisClientCertificateMappingAuthentication is enabled.
The server is not configured to send a CTL and we have SendTrustedIssuerList = 0.
I cannot see why the client cert should not be trusted.
Windows 2012 introduced stricter certificate store validations. According to KB 2795828: Lync Server 2013 Front-End service cannot start in Windows Server 2012, the Trusted Root Certification Authorities (i.e. Root) store can only have certificates that are self-signed. If that store contains non-self-signed certificates, client certificate authentication under IIS returns with a 403.16 error code.
To solve the problem, you have to remove all non-self-signed certificates from the root store. This PowerShell command will identify non-self-signed certificates:
Get-Childitem cert:\LocalMachine\root -Recurse |
Where-Object {$_.Issuer -ne $_.Subject}
In my situation, we moved these non-self-signed certificates into the Intermediate Certification Authorities (i.e. CA) store:
Get-Childitem cert:\LocalMachine\root -Recurse |
Where-Object {$_.Issuer -ne $_.Subject} |
Move-Item -Destination Cert:\LocalMachine\CA
According to KB 2801679: SSL/TLS communication problems after you install KB 931125, you might also have too many trusted certificates.
[T]he maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certication Authorities will go over the 16k limit, and you will experience TLS/SSL communication problems.
The solution in this situation is to remove any certification authority certificates you don't trust, or to stop sending the list of trusted certifiation authorities by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\#SendTrustedIssuerList registry entry to 0 (the default, if not present, is 1).
If the issue continues to persist after the above steps, restart the machine.
In my case I'd been adding the root cert into the 'current user' certificate store on the server and was getting the 403.16 error.
Adding my root cert to the Trusted Root Authorities store for the local machine resolved the issue.
Follow the steps below on the server running IIS.
For Windows Server 2008 R2:
Right click on the certificate file and select 'Install Certificate'. Click next.
Select 'Place all certificates in the following store' and click 'Browse...'
Check 'Show physical stores'
Expand 'Trusted Root Certification Authorities' and select 'Local Computer'. Click OK.
Click Next/Click Finish.
For Windows Server 2012 R2:
Right click on the certificate file and select 'Install
Certificate'.
Select 'Local Machine'. Click Next.
Select 'Place all certificates in the following store' and click 'Browse...'
Select 'Trusted Root Certification Authorities'. Click OK.
Click Next/Click Finish.
For Windows 7:
Start -> Run -> mmc.exe
File -> 'Add or Remove Snap-ins'. Select 'Certificates', click 'Add >' and select 'Computer account' and then 'Local computer'. Click Finish/OK
Expand Certificates (Local Computer) -> Trusted Root Certification Authorities -> Certificates. Right click on Certificates and select All Tasks -> Import.
Select the certificate file and click next.
Select 'Place all certificates in the following store' and click 'Browse...'
Check 'Show physical stores'
Expand 'Trusted Root Certification Authorities' and select 'Local Computer'. Click OK.
Click Next/Click Finish.
I got this error in IIS Express:
HTTP Error 403.16 - Forbidden
Your client certificate is either not trusted or is invalid.
Looking at the TraceLogFiles I saw the following error:
<RenderingInfo Culture="en-US">
<Opcode>MODULE_SET_RESPONSE_ERROR_STATUS</Opcode>
<Keywords>
<Keyword>RequestNotifications</Keyword>
</Keywords>
<freb:Description Data="Notification">BEGIN_REQUEST</freb:Description>
<freb:Description Data="ErrorCode">A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
(0x800b0109)</freb:Description>
</RenderingInfo>
Turned out when I installed Razer Synapse the installation also put a certificate for chromasdk.io in Trusted Root Certification Authorities under Computer Account -> Local computer. I removed this and then everything worked.
Just sharing my experience with Windows 2019 server and IISExpress in combination with a self-signed certificate. I couldn't get it working with editing the registry and in the end I didn't need to.
The following three steps got me there:
Generate a root certificate for the localmachine cert store with powershell:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=TestRootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsageProperty Sign -KeyUsage CertSign
Generate a client certificate for the localuser cert store, based on the root cert with powershell:
New-SelfSignedCertificate -Type Custom -Subject "CN=TestChildCert" -Signer $cert -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.2","2.5.29.17={text}upn=test#local") -KeyUsage DigitalSignature -KeyAlgorithm RSA -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My"
Move the root cert from Personal\Certificates to Trusted Root Certification\Certificates
After this I could select the TestChildCert and it was accepted just fine.

Exporting SSL certificate from Juniper SA 2000 to IIS 7

Has anyone exported SSL certificate (cert and private key) from a Juniper SA 2000 box and tried to import it to IIS 7 box ?
I have tried to google for ways to export the private key from SA 2000 but haven't got any good links. (IIS 7 requires the cert and key put into a .pfx format to import). But if i can export the private key and also have the cert i can create the pfx using openssl.
Any help regarding this is appreciated.
Thanks.
If you can't export the certificate with the private. I would suggest to contact your CA provider to reissue your certificate using the new CSR generated from your IIS 7 server. Reissuing of certificate in free of charge if you are a GlobalSign customer or your certificate is issued by GlobalSign.
Reissuing your certificate using the CSR generated from the IIS 7 server will allow you to install the certificate using the PEM certificate format (.crt file)
You may refer to this link: https://support.globalsign.com/customer/portal/articles/1226960-install-certificate---internet-information-services-iis-7

Resources