Certificate Trust List on IIS 8.5

Question

User-2090720020 posted

Can anyone provide a valid method for implementing a CTL on IIS 8.5 that doesn't require me to stand up a server that is EOL?

Scouring the interwebs keeps pointing me to posts that reference a tool from the Windows 2003 SDK that only runs on Windows 2003 or 2008 (nonR2).  There must be an updated method.

Thanks

Answer 1

User-1122936508 posted

https://technet.microsoft.com/en-us/library/dn786429.aspx

Windows Server 2012 R2 uses specific certificate stores to generate the list of trusted issuers. See the section "Management of trusted issuers for client authentication" for details

Answer 2

User690216013 posted

<deleted>

Answer 3

User-2090720020 posted

Thanks much Ken - reading that now!

Answer 4

User-2090720020 posted

So that section seems to detail the differences between the old versions of Windows and 2012 and up.  

I remain confused about how to implement.

The article says If there is a specific credential store configured for the site, it will be used as the source.

That's what I want (to setup a store per IIS site)

I'm assuming I have to run

netsh http add sslcert ipport=0.0.0.0:443 certhash=GUID hash value appid={GUID application identifier}  sslctlstorename=ClientAuthIssuer

 on my IIS server, as it says HTTP.sys is not configured by default to use the Client Authentication Issuers Store.  When I issue that command I get the helpful error 'The parameter is incorrect'.

(although I wonder if I am reading that too literally)

Any further insight is appreciated.

Answer 5

User-2090720020 posted

I've also used 

netsh http show sslcert

and replaced the 'values' for certhash and appid for the site in question.  I get the same error.  

Assuming that error did NOT happen (and that command configured that site for the per-site cert store - how do I view that store?  How do I add certs to it?

Thanks again
Blake

Answer 6

User-1122936508 posted

blake.duffey

Assuming that error did NOT happen (and that command configured that site for the per-site cert store - how do I view that store?  How do I add certs to it?

Start -> Run -. MMC.exe

Add/Remove Snapins

Add Certificates snapin

Choose Machine account

You will then see a set of stores that IIS has access to. You import certificates here as well.

I believe you can create new stores via this UI as well (haven't tested that though)

Answer 7

User-2090720020 posted

Thanks Ken - it didn't occur to me that Microsoft would use the standard certificate MMC for this...

:)

Launching the certificates snap-in on my IIS box I DO see 'Client Authentication Issuers' as a separate store.

(which I'll be trying shortly)

I don't see any way to create a site specific store (but I feel this is a significant step in the right direction)

:)

Thanks Ken

If you have any ideas regarding creating a site-specific store, please let me know

Blake

Answer 8

User-2090720020 posted

So I can certainly add certs to the Client Authentication Issuers store.  The problem now is, per https://technet.microsoft.com/en-au/library/dn786429.aspx

HTTP.sys, which implements the Windows HTTP-server stack, is not configured by default to use the Client Authentication Issuers store.

So I need to configure the site to use that store.  But using netsh http add sslcert only gives me 'the parameter is incorrect'.

Hostname:port : sXXXXXXXX.org:443
Certificate Hash : 2XXXXXXdcf16f3417000a523621087159683
Application ID : {4dc3e181-e14b-4a21-b022-59fc66XXXX}
Certificate Store Name : WebHosting
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled

PS C:\Users\blake> netsh http add sslcert ipport=sXXXXXXXXXXXXXXX:443 certhash=XXXXXXXXXXXXXXXXXf3417000a523621
087159683 appid={4dc3e181-e14b-4a21-b022-59fc66XXXXX} sslctlstorename=ClientAuthIssuer
The parameter is incorrect.

Thanks again

Blake

Answer 9

User-1122936508 posted

Put appid= before certhash=

Also, I'm not sure that ipport= accepts a DNS name - you might need to use an IP Address:Port combination

Answer 10

User-2090720020 posted

I'll try that order

I've seen examples that use DNS name - but I'm open to trying that to  :)

EDIT:

Swapping the order of appid and certhash didn't help

Changing the value of ipport to 0.0.0.0:443 caused a different error

SSL Certificate add failed, Error: 1312
A specified logon session does not exist. It may already have been terminated.

Answer 11

User-1122936508 posted

Googling around, it seems the most common cause of that error is that the server authentication cert you are trying to bind to the IP address is not in the Personal Certificates store.

Answer 12

User-2090720020 posted

I've found similar.

I'm sort of (more) confused now.  All I really want to do is set the value sslctlstorename=ClientAuthIssuer for an existing site.

There is already a cert bound to this site.  (without a band cert, it doesn't even show up when I issue netsh http show sslcert).

Does it want me to assign the cert, issue netsh http show sslcert to get the hash, unbind it, and then re-assign it via netsh?  

(I've not really understood why I needed that at all)

Answer 13

User-2090720020 posted

I was able to sort of make it work by doing as I suggested - removing the cert entirely via netsh http delete sslcert and then adding things back in.  My main issue is that the cert, while assigned, isn't visible via the GUI (which means someone is going to break it when the cert expires and they go to update it in a few months).

I'm going to come back and look at it again in a few days 

Thanks again

Answer 14

User-2090720020 posted

blake.duffey

PS C:\Users\blake> netsh http add sslcert ipport=sXXXXXXXXXXXXXXX:443 certhash=XXXXXXXXXXXXXXXXXf3417000a523621

087159683 appid={4dc3e181-e14b-4a21-b022-59fc66XXXXX} sslctlstorename=ClientAuthIssuer
The parameter is incorrect.

This error (parameter is incorrect) was caused by entering the command into Powershell - you have to put single quotes <'> around the curly braces around the appid value.  Grrrr

Answer 15

User-1292006634 posted

I was able to sort of make it work by doing as I suggested - removing the cert entirely via netsh http delete sslcert and then adding things back in.  My main issue is that the cert, while assigned, isn't visible via the GUI (which means someone is going to break it when the cert expires and they go to update it in a few months).

I'm going to come back and look at it again in a few days 

Thanks again

I know this is old, but I found how to do what you're talking about. Use netsh http update sslcert instead of "delete then create" like everyone seems to recommend on the 'Net (even the MS docs). You'll change the existing entry without messing up the IIS GUI.

E.g. To change an existing IIS Site to use the "Client Authentication Issuers" store instead of the "Trusted Root Certification Authorities" store for when accepting TLS Client-certificates...

1. Install your public cert into both the "Trusted Root Certification Authorities" and "Client Authentication Issuers" certificate stores for the Local Machine. (I think there's a Registry setting that makes it so you don't need to install it into the "Trusted Root..." store, but I haven't tried that.)
2. View what's presently setup in HTTP.sys to find the binding that goes with the IIS Site you want to change by using netsh http show sslcert 
3. Run this: netsh http update sslcert ipport={what's-listed-in-"IP:port"} appid={what's-listed-in-"Application ID"} certhash={what's-listed-in-"Certificate Hash"} sslctlstorename=ClientAuthIssuer
   1. E.g. (sort of): netsh http update sslcert ipport=0.0.0.0:443 appid={4dc3e181-e14b-4a21-b022-...} certhash=a95...c68 sslctlstorename=ClientAuthIssuer
   2. You can copy-paste the values from the "show sslcert" command, if you're running directly from a cmd prompt; you don't need to quote the values (even the formatted GUID).
4. You do not need to reboot the machine or restart IIS or restart the IIS Site to have the changes take effect.