Forum Discussion

ariefd's avatar
ariefd
Copper Contributor
Sep 19, 2020

How to Issue TLS 1.2 Certificate in Win Server 2019 Certificate Authority

Hi All,

 

I need to use my local Windows Server 2019 Certificate Authority to issue cert for webserver. However, all sites with this cert (the one that has been issued from my CA), Chrome will not load the page. The error message in Chrome and MS Edge Enterprise is: ERR_CONNECTION_CLOSED. IE with TLS 1.0 enable can load the site without any issues. If I disable the TLS 1.0, I got error: "Can't connect securely to this page". Based on this, I knew that my certs have been issued under TLS 1.0.

 

I have enabled TLS 1.2 in my Windows Server 2019 via the Registry Key (Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2). The server has also been restarted to apply this change. I tried to re-issue another certificate since the restart, hoping the new issued certificate will support TLS 1.2. Unfortunately, I still in the same situation.

 

What am I missing here? I have Googled around, and it seems that I don't need to re-issue CA after enabling the TLS 1.2. If someone can point me into the right direction, that would be great. Thanks all.

 

 

Cheers,


Ariefd

  • farismalaeb's avatar
    farismalaeb
    Steel Contributor

    ariefd 

    Hi,

    did you try to use IISCrypto, it will help you in setting up the protocol settings

    https://www.nartac.com/Products/IISCrypto/Download,

    and as it seems the client is unable to communicate using TLS 1.2, maybe the configuration are not properly made or there is a missing key.

    try to use IISCrypto and check the required protocol, you can easly click on Best Practice and it will fix it for you

     

    • ariefd's avatar
      ariefd
      Copper Contributor

      Hi farismalaeb,

       

      No, I have never use IIS Crypto before which made me hesitance to use this. I don't know exactly what IIS Crypto will make changes on my server that hosts my CA. So I used the backup function and could see it backed up my current registry key. 

      It seems safe to use IIS Crypto, so I ran the best practice, and I can see that my server missed a lot of setting. I rebooted the server, and re-issued another cert. However, I still ran the same issue where Chrome won't load the page. The Error Message in Chrome said "The connection to this page is not secure". I don't know what is missing here, or how to specifically to issue cert with TLS 1.2.

       

Resources