Forum Discussion
ariefd
Sep 19, 2020Copper Contributor
How to Issue TLS 1.2 Certificate in Win Server 2019 Certificate Authority
Hi All,
I need to use my local Windows Server 2019 Certificate Authority to issue cert for webserver. However, all sites with this cert (the one that has been issued from my CA), Chrome will not load the page. The error message in Chrome and MS Edge Enterprise is: ERR_CONNECTION_CLOSED. IE with TLS 1.0 enable can load the site without any issues. If I disable the TLS 1.0, I got error: "Can't connect securely to this page". Based on this, I knew that my certs have been issued under TLS 1.0.
I have enabled TLS 1.2 in my Windows Server 2019 via the Registry Key (Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2). The server has also been restarted to apply this change. I tried to re-issue another certificate since the restart, hoping the new issued certificate will support TLS 1.2. Unfortunately, I still in the same situation.
What am I missing here? I have Googled around, and it seems that I don't need to re-issue CA after enabling the TLS 1.2. If someone can point me into the right direction, that would be great. Thanks all.
Cheers,
Ariefd
- farismalaebSteel ContributorHi, do you have any update
- farismalaebSteel Contributor
Hi,
did you try to use IISCrypto, it will help you in setting up the protocol settings
https://www.nartac.com/Products/IISCrypto/Download,
and as it seems the client is unable to communicate using TLS 1.2, maybe the configuration are not properly made or there is a missing key.
try to use IISCrypto and check the required protocol, you can easly click on Best Practice and it will fix it for you
- ariefdCopper Contributor
Hi farismalaeb,
No, I have never use IIS Crypto before which made me hesitance to use this. I don't know exactly what IIS Crypto will make changes on my server that hosts my CA. So I used the backup function and could see it backed up my current registry key.
It seems safe to use IIS Crypto, so I ran the best practice, and I can see that my server missed a lot of setting. I rebooted the server, and re-issued another cert. However, I still ran the same issue where Chrome won't load the page. The Error Message in Chrome said "The connection to this page is not secure". I don't know what is missing here, or how to specifically to issue cert with TLS 1.2.- farismalaebSteel Contributor
You need to run this tool on the server hosting your webserver (the sites that are not working server) not the CA, or at least start it there and make sure that the protocols such as TLS 1.1/ TLS 1.2 are checked, if not checked then you need to enable them.
Make sure that the generated certificate has a SAN (Subject Alternative Name) as chrome require this, CN is not enough and chrome will "Display warning" but as far as I know wont break the connection.
One more thing to note that Chrome will mark any certificate generated without a SAN as insecure too.
Run IISCrypto tool also on the client and check, are TLS 1.1/1.2 version enabled on the client system, maybe the client is dont have TLS 1.2 enabled by default
last thing, please share a screenshot of chrome error you are getting.
Thanks