Wednesday, March 26, 2014

Cert-ifiably IISane

Time for an annual web site certificate renewal. No problem, we've done this dozens of times before. Only one small difference this year - it's on IIS7 in a Windows Server 2008 machine instead of IIS6 on Windows Server 2003. That shouldn't matter right?

Sadly, yes, it does.

I opened the IIS manager, navigated to the root node for the machine and selected "Server Certificates." There, I right-clicked and selected "Renew..." No special options to choose from so how complicated could it be? Well, it turns out that there is a difference. When I opened the request file it was quite a bit larger than I was used to seeing. Not being able to read hex I decided that was probably just due to it being a 64-bit machine instead of our previous 32-bit OSes. I uploaded the request, logged on to the certificate authority, and approved my own request. That's just how we roll around here.

Then, back on the server, I downloaded the new certificate and completed the request. I selected the new certificate for out web application's HTTPS binding and immediately started getting some interesting event log messages:
Log Name:      System
Source:        Schannel
Date:          3/25/2014 2:03:14 PM
Event ID:      36874
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      [elided]
Description:
An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
And:
Log Name:      System
Source:        Schannel
Date:          3/25/2014 2:03:14 PM
Event ID:      36888
Task Category: None
Level:         Error
Keywords:      
User:          SYSTEM
Computer:      [elided]
Description:
The following fatal alert was generated: 40. The internal error state is 1205.
Woah- what's going on? I just renewed the certificate as is with no options, no way to change anything, and it modified what the certificate can do? Wonderful. After just a bit of searching I found Robert Lucero's post on Certificate Renewals in IIS 7. Basically, don't renew your certificates through IIS. Either create entirely new requests or use the certificates MMC snap-in.

The only difference we could find when inspecting the certificates was that the new one was only 1024 bits compared to the 2048 we'd had previously. There must have been some other flag under the covers we couldn't see that limited its permitted usage.

Your mileage may vary - test out the process on a different system before you jump in with both feet. At least it was easy to fix.

No comments:

Post a Comment