Asked by:
Certificate Trust List on IIS 8.5

Question
-
User-2090720020 posted
Can anyone provide a valid method for implementing a CTL on IIS 8.5 that doesn't require me to stand up a server that is EOL?
Scouring the interwebs keeps pointing me to posts that reference a tool from the Windows 2003 SDK that only runs on Windows 2003 or 2008 (nonR2). There must be an updated method.
Thanks
Friday, February 19, 2016 3:53 PM
All replies
-
User-1122936508 posted
https://technet.microsoft.com/en-us/library/dn786429.aspx
Windows Server 2012 R2 uses specific certificate stores to generate the list of trusted issuers. See the section "Management of trusted issuers for client authentication" for details
Saturday, February 20, 2016 3:41 AM -
User690216013 posted
<deleted>
Saturday, February 20, 2016 3:51 AM -
User-2090720020 posted
Thanks much Ken - reading that now!
Tuesday, February 23, 2016 10:45 PM -
User-2090720020 posted
So that section seems to detail the differences between the old versions of Windows and 2012 and up.
I remain confused about how to implement.
The article says If there is a specific credential store configured for the site, it will be used as the source.
That's what I want (to setup a store per IIS site)
I'm assuming I have to run
netsh http add sslcert ipport=0.0.0.0:443 certhash=GUID hash value appid={GUID application identifier} sslctlstorename=ClientAuthIssuer
on my IIS server, as it says HTTP.sys is not configured by default to use the Client Authentication Issuers Store. When I issue that command I get the helpful error 'The parameter is incorrect'.
(although I wonder if I am reading that too literally)
Any further insight is appreciated.
Wednesday, February 24, 2016 3:30 PM -
User-2090720020 posted
I've also used
netsh http show sslcert
and replaced the 'values' for certhash and appid for the site in question. I get the same error.
Assuming that error did NOT happen (and that command configured that site for the per-site cert store - how do I view that store? How do I add certs to it?
Thanks again
BlakeWednesday, February 24, 2016 4:47 PM -
User-1122936508 posted
blake.duffey
Assuming that error did NOT happen (and that command configured that site for the per-site cert store - how do I view that store? How do I add certs to it?Start -> Run -. MMC.exe
Add/Remove Snapins
Add Certificates snapin
Choose Machine account
You will then see a set of stores that IIS has access to. You import certificates here as well.
I believe you can create new stores via this UI as well (haven't tested that though)
Thursday, February 25, 2016 4:24 AM -
User-2090720020 posted
Thanks Ken - it didn't occur to me that Microsoft would use the standard certificate MMC for this...
:)
Launching the certificates snap-in on my IIS box I DO see 'Client Authentication Issuers' as a separate store.
(which I'll be trying shortly)
I don't see any way to create a site specific store (but I feel this is a significant step in the right direction)
:)
Thanks Ken
If you have any ideas regarding creating a site-specific store, please let me know
Blake
Thursday, February 25, 2016 3:19 PM -
User-2090720020 posted
So I can certainly add certs to the Client Authentication Issuers store. The problem now is, per https://technet.microsoft.com/en-au/library/dn786429.aspx
HTTP.sys, which implements the Windows HTTP-server stack, is not configured by default to use the Client Authentication Issuers store.
So I need to configure the site to use that store. But using netsh http add sslcert only gives me 'the parameter is incorrect'.
Hostname:port : sXXXXXXXX.org:443
Certificate Hash : 2XXXXXXdcf16f3417000a523621087159683
Application ID : {4dc3e181-e14b-4a21-b022-59fc66XXXX}
Certificate Store Name : WebHosting
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : DisabledPS C:\Users\blake> netsh http add sslcert ipport=sXXXXXXXXXXXXXXX:443 certhash=XXXXXXXXXXXXXXXXXf3417000a523621
087159683 appid={4dc3e181-e14b-4a21-b022-59fc66XXXXX} sslctlstorename=ClientAuthIssuer
The parameter is incorrect.Thanks again
Blake
Thursday, February 25, 2016 8:41 PM -
User-1122936508 posted
Put appid= before certhash=
Also, I'm not sure that ipport= accepts a DNS name - you might need to use an IP Address:Port combination
Friday, February 26, 2016 12:47 AM -
User-2090720020 posted
I'll try that order
I've seen examples that use DNS name - but I'm open to trying that to :)
EDIT:
Swapping the order of appid and certhash didn't help
Changing the value of ipport to 0.0.0.0:443 caused a different error
SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated.Friday, February 26, 2016 1:16 AM -
User-1122936508 posted
Googling around, it seems the most common cause of that error is that the server authentication cert you are trying to bind to the IP address is not in the Personal Certificates store.
Friday, February 26, 2016 1:43 AM -
User-2090720020 posted
I've found similar.
I'm sort of (more) confused now. All I really want to do is set the value sslctlstorename=ClientAuthIssuer for an existing site.
There is already a cert bound to this site. (without a band cert, it doesn't even show up when I issue netsh http show sslcert).
Does it want me to assign the cert, issue netsh http show sslcert to get the hash, unbind it, and then re-assign it via netsh?
(I've not really understood why I needed that at all)
Friday, February 26, 2016 1:54 AM -
User-2090720020 posted
I was able to sort of make it work by doing as I suggested - removing the cert entirely via netsh http delete sslcert and then adding things back in. My main issue is that the cert, while assigned, isn't visible via the GUI (which means someone is going to break it when the cert expires and they go to update it in a few months).
I'm going to come back and look at it again in a few days
Thanks again
Wednesday, March 2, 2016 11:40 PM -
User-2090720020 posted
blake.duffey
PS C:\Users\blake> netsh http add sslcert ipport=sXXXXXXXXXXXXXXX:443 certhash=XXXXXXXXXXXXXXXXXf3417000a523621
087159683 appid={4dc3e181-e14b-4a21-b022-59fc66XXXXX} sslctlstorename=ClientAuthIssuer
The parameter is incorrect.This error (parameter is incorrect) was caused by entering the command into Powershell - you have to put single quotes <'> around the curly braces around the appid value. Grrrr
Friday, April 8, 2016 9:30 PM -
User-1292006634 posted
I was able to sort of make it work by doing as I suggested - removing the cert entirely via netsh http delete sslcert and then adding things back in. My main issue is that the cert, while assigned, isn't visible via the GUI (which means someone is going to break it when the cert expires and they go to update it in a few months).
I'm going to come back and look at it again in a few days
Thanks again
I know this is old, but I found how to do what you're talking about. Use
netsh http update sslcert
instead of "delete
thencreate
" like everyone seems to recommend on the 'Net (even the MS docs). You'll change the existing entry without messing up the IIS GUI.E.g. To change an existing IIS Site to use the "Client Authentication Issuers" store instead of the "Trusted Root Certification Authorities" store for when accepting TLS Client-certificates...
- Install your public cert into both the "Trusted Root Certification Authorities" and "Client Authentication Issuers" certificate stores for the Local Machine. (I think there's a Registry setting that makes it so you don't need to install it into the "Trusted Root..." store, but I haven't tried that.)
- View what's presently setup in HTTP.sys to find the binding that goes with the IIS Site you want to change by using
netsh http show sslcert
- Run this:
netsh http update sslcert ipport={what's-listed-in-"IP:port"} appid={what's-listed-in-"Application ID"} certhash={what's-listed-in-"Certificate Hash"} sslctlstorename=ClientAuthIssuer
- E.g. (sort of): netsh http update sslcert ipport=0.0.0.0:443 appid={4dc3e181-e14b-4a21-b022-...} certhash=a95...c68 sslctlstorename=ClientAuthIssuer
- You can copy-paste the values from the "show sslcert" command, if you're running directly from a cmd prompt; you don't need to quote the values (even the formatted GUID).
- You do not need to reboot the machine or restart IIS or restart the IIS Site to have the changes take effect.
Wednesday, March 6, 2019 2:52 PM