locked
IIS client certificate authentication issue: No client certificate CA names sent RRS feed

  • Question

  • User-777637795 posted

    I try to get 2-way SSL working on a windows server but still cannot provide a list of certificate that client requires.

    Server: Windows Server 2008R2

    IIS: 7.5

    Client Certificate installed:: Entrust Root, Entrust Intermediate and client public key

    Testing command: openssl s_client -connect veritydevservice.fmr.com:443

    Expected results:

    ...

    Acceptable client certificate CA names
    /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
    /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL CA

    ...

    Actual Results:

    ---
    No client certificate CA names sent
    ---

    I am not sure where went wrong and will appreciate your help very much.

    Aiming

    Friday, February 12, 2016 10:11 PM

All replies

  • User-1122936508 posted

    Client Certificate installed:: Entrust Root, Entrust Intermediate and client public key

    This doesn't sound right. On the server, trusted Root CA certificates should be installed, not client authentication certificates. Is this what you meant?

    Also, have you set: SendTrustedIssuerList registry key to 1? If it is set to 0 or not present, IIS will not construct the trusted CA list to send to the client.

    Saturday, February 13, 2016 4:53 AM
  • User-777637795 posted

    Hi Ken, 

    Thank you for your reply. can you point me to the resource on how to SendTrustedIssuerList registry key to 1?

    Our server use one-way SSL authenticaton before and client already installed server certificate.  We want to implement 2-way SSL authentication. Client sent me 3 certificates: b2b-test.eCompany.com.cer, Entrust Intermediate.cer and Entrust Root.cer for 2-way SSL authentication. I am not sure if I have to install all 3 certs or just first one b2b-test.eCompany.com.cer.

    Thanks,

    Aiming

    Tuesday, February 16, 2016 6:17 PM
  • User-1122936508 posted

    Thank you for your reply. can you point me to the resource on how to SendTrustedIssuerList registry key to 1?

    https://technet.microsoft.com/en-us/library/dn786429.aspx

    Client sent me 3 certificates: b2b-test.eCompany.com.cer, Entrust Intermediate.cer and Entrust Root.cer for 2-way SSL authentication. I am not sure if I have to install all 3 certs or just first one b2b-test.eCompany.com.cer

    What is the purpose of these certificates?

    The CA (certificate authority) certificates need to be imported on both client and server.

    The client authentication certificates need to be imported into the client

    Wednesday, February 17, 2016 12:35 AM
  • User-2095852697 posted

    http://blogs.msdn.com/b/imayak/archive/2008/09/12/wcf-2-way-ssl-security-using-certificates.aspx

    Wednesday, February 17, 2016 4:46 AM
  • User-777637795 posted

    The service I want to implement 2-way SSL certificate authentication is WCF rest service with webHttpBinding. From the post at http://www.codeproject.com/Articles/348595/Use-Mutual-SSL-Authentication-in-WCF, it lists  the standard  bindings that support transport level security which does not include webHttpBinding. Does this mean that 2-way SSL certificate authentication are not supported by WCF rest service with webHttpBinding? If webHttpBinding support 2-way SSL certificate authentication, can you provide a good resource on how to implement it in windows 2008r2 and IIS 7.5?

    • BasicHttpBinding
    • WSHttpBinding
    • WS2007HttpBinding
    • NetTcpBinding
    • NetNamedPipeBinding
    • NetMsmqBinding
    • NetPeerTcpBinding
    • MsmqIntegrationBinding

    Thanks,

    Aiming

    Tuesday, February 23, 2016 3:36 PM
  • User1278090636 posted

    Hi,

    You can learn how to implement 2-way SSL certificate authentication in windows 2008R2 via the following link.

    https://blogs.msdn.microsoft.com/imayak/2008/09/12/wcf-2-way-ssl-security-using-certificates/

    Best Regards,

    Jean

    Thursday, March 3, 2016 8:09 AM
  • User-777637795 posted

    I followed https://technet.microsoft.com/en-us/library/dn786429.aspx to check SendTrustedIssuerList registry key. I used
    CertUtil -getreg SendTrustedIssuerList but got the following error massage. Any idea what went wrong? my server is windows server 2008R2

    C:\Users\sa520181.DMN1>CertUtil -getreg SendTrustedIssuerList
    CertUtil: -getreg command FAILED: 0x80070002 (WIN32: 2)
    CertUtil: The system cannot find the file specified.

    Thanks,

    Aiming

    Thursday, March 24, 2016 2:46 PM
  • User-1122936508 posted

    Can you please clarify which certificates you installed where, as asked before?

    CertUtil -getreg SendTrustedIssuerList but got the following error massage. Any idea what went wrong? my server is windows server 2008R2

    C:\Users\sa520181.DMN1>CertUtil -getreg SendTrustedIssuerList
    CertUtil: -getreg command FAILED: 0x80070002 (WIN32: 2)

    That doesn't appear to be valid certutil.exe syntax. It didn't work on my server either.

    https://technet.microsoft.com/library/cc732443.aspx#BKMK_getreg for reference

    Saturday, March 26, 2016 7:47 AM
  • User-777637795 posted

    Let me clarify which certificates I installed and where they were installed.

    Server certificates: 2 certificates, one added to Trusted root certification Auth  and one added to personal of Certificates (Local computer)

    Client certificates: received 3 . one add to Trusted root, one to Intermediate and one to personal of Certificates (Local computer)

    I was able to use CertUtil get MY and CA certificates. But not sure how to get SendTrustedIssuerList value and set SendTrustedIssuerList registration value to 1. The reference do not provide examples on this. I will appreciate if some can provide  working examples.

    Thanks,

    Aiming

    Tuesday, March 29, 2016 3:27 AM
  • User-1122936508 posted

    aimingxu

    Server certificates: 2 certificates, one added to Trusted root certification Auth  and one added to personal of Certificates (Local computer)

    Client certificates: received 3 . one add to Trusted root, one to Intermediate and one to personal of Certificates (Local computer)

    This doesn't seem to be right. If the CA that issued the client cert had an intermediate CA, then you'd need to add the intermediate CA certificate on both the server and client for the trust chain to be the same on both computers.

    Or was the server certificate issued by one CA, and the client authentication certificate issued by a different CA? If so, how do you know the server trusts the same CA as the client?

    Please clarify in more detail what the certs actually where.

    For setting that registry key, see steps here: https://support.microsoft.com/en-us/kb/2464556 except you need to set the value to 1, not to 0

    Tuesday, March 29, 2016 5:49 AM
  • User-777637795 posted

    Yes, the server certificate issued by one CA, and the client authentication certificate issued by a different CA, which is Entrust.net Certification Authority(2048). There is no intermediate server CA certificate. Thanks.

    Tuesday, March 29, 2016 12:42 PM
  • User-1122936508 posted

    aimingxu

    Yes, the server certificate issued by one CA, and the client authentication certificate issued by a different CA, which is Entrust.net Certification Authority(2048).

    For SSL/TLS to work, the cert needs to be issued by a CA trusted by both parties.

    Did you also import the entrust.net CA & intermediate certs into the server? If the server doesn't trust entrust.net, then it will not send that to the client as an accepted CA, nor will it accept a client auth certificate issued by that CA.

    Thursday, March 31, 2016 1:33 AM
  • User-777637795 posted

    Yes, I imported the entrust.net CA & intermediate certs into the server. but when I ran the command: openssl s_client -connect veritydevservice.fmr.com:443, I still got: No client certificate CA names sent.

    Thursday, March 31, 2016 3:03 AM
  • User-1122936508 posted

    aimingxu

    Yes, I imported the entrust.net CA & intermediate certs into the server

    Thanks for confirming - it wasn't mentioned before.

    And you have set the registry key on the server and restarted http.sys?

    Thursday, March 31, 2016 4:30 AM
  • User-777637795 posted

    How to set the registry key for SendTrustedIssuerList is still not clear to me after reading https://technet.microsoft.com/library/cc732443.aspx#BKMK_setreg.  here is my command and result.

    C:\Windows\system32>CertUtil -setreg SendTrustedIssuerList 1

    CertUtil: -setreg command FAILED: 0x80070002 (WIN32: 2)

    CertUtil: The system cannot find the file specified.

    appreciate help on this!

    Aiming

    Thursday, March 31, 2016 12:56 PM
  • User-1122936508 posted

    How to set the registry key for SendTrustedIssuerList is still not clear to me

    Please see my post from Tue, Mar 29 2016 03:49 PM

    Thursday, March 31, 2016 11:45 PM
  • User-777637795 posted

    Hi Ken,

    I cannot locate your post from Tue, Mar 29 2016 03:49 PM. Can you post the link to the post.

    Thanks,

    Aiming

    Friday, April 1, 2016 2:12 AM
  • User-1122936508 posted

    I cannot locate your post from Tue, Mar 29 2016 03:49 PM. Can you post the link to the post

    Srsly? Here: http://forums.iis.net/post/2117636.aspx

    Friday, April 1, 2016 8:21 AM
  • User-777637795 posted

    Thanks. I think that timestamp is converted to the local time. the same post showed timestamp 03-29-2016 05:49 AM|Ken Schaefer for me.

    Friday, April 1, 2016 1:09 PM
  • User-777637795 posted

    Hi Ken,

    I followed   https://support.microsoft.com/en-us/kb/2464556 to add SendTrustedIssuerList under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL and set the value to 1. But I still got: No client certificate CA names sent when I try openssl s_client -connect veritydevservice.fmr.com:443.

    I found a protocols folder under SCHANNE. there are 2 sub folders SSL 2.0 and SSL 3.0 under protocols folder. In each SSL folder, there are  1 Client and 1 Server folder. In both Server folders, Enabled is set to 0. Not sure if it has anything to do with: No client certificate CA names sent

    Thanks,

    Aiming

    Friday, April 1, 2016 8:44 PM
  • User-777637795 posted

    As I mentioned before that I got:  No client certificate CA names sent when I try openssl s_client -connect veritydevservice.fmr.com:443

    I just found out that if I try openssl s_client -connect veritydevservice.fmr.com:443 -prexit

    and then try GET /, I did get a list of Acceptable client certificate CA names.

    Does this indicate that my configurations are setup correctly for 2-way SSL but because of some restriction in Windows server and IIS that prevent me from getting client certificate CA names from openssl s_client -connect veritydevservice.fmr.com:443 directly?

    Thanks,

    Aiming

    Thursday, April 7, 2016 5:47 PM
  • User-2090720020 posted

    I, too, receive 'No client certificate CA names sent' - but I also get it after trying a GET.

    I feel like I have made the appropriate registry change (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList) but I'm still seeing this behavior.  I was hoping to use the cert list as a troubleshooting tool.

    Any thoughts?

    Is this a change in IIS 8.5?  (sending the entire list was the default)

    Friday, April 8, 2016 11:36 PM