Forum Discussion
How to Issue TLS 1.2 Certificate in Win Server 2019 Certificate Authority
Hi farismalaeb,
Sorry for delay in responding back to you. The webserver is embedded and running on special thermal printer. I won't be able to test to access the page from the webserver. I couldn't run the IIS Crypto to. That was the reason I tested by using the wildcard cert issue by RapidSSL.
https://www.sysadmins.lv/blog-en/test-web-server-ssltls-protocol-support-with-powershell.aspx
This will test the TLS version support on your web server, you can run this from your machine and set the target to be the webserver (The Embedded web server).
If possible,
Open Wireshark, and add a filter ip.addr == <YOUR SERVER IP>
Click start
from your machine request the website and wait till it fails, stop the Wireshark capture, then check the connection details and see where it's failing.
if possible just show me the connection status, I guess you will find something like [RST] from the server, due to an unsupported TLS version, it's possible that the web server only supports TLS 1.0 and nothing higher.
I assume that the key length created from your Win2019 SRV is similar to the key length created using the RapidSSL.
I would advise you to use Wireshark to see the steps before the TLS negotiation.
That will reveal a lot
and yes, I live in UAE, Abu Dhabi 🙂
Hi farismalaeb,
Something has come up urgently at work today. About the key length, I created it with 4096 length. That is why I don't understand.
FYI, I am based in Sydney, Australia. I reckon you are based somewhere in the US with may be 12 hours different.
Hi,
OK, One of the causes which might cause an issue is a Private Key length which is an important factor in the certificate, what is the key length for the certificate, if fewer than1024 would you please generate another certificate with a longer Key.
A certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.”
TLS is a protocol that uses the certificate and its content to establish a secure connection, and what I see here is not a certificate issue, its a protocol issue.
Please regenerate the certificate with a longer key 2048 at least and let me know the update.
Thanks
Hi farismalaeb,
I think we have been sidetracked from the original query, as right now we are focusing on the webserver, instead of the Windows Server 2019 Certificate Authority. I strongly believe that the webserver is working and support TLS 1.2. Please refers to the test that I have done by installing wildcard certificate issued by RapidSSL. For test, I have create a temp DNS entry on my host file to point to internal IP Address of the printer. Here is the outcome of the script you suggested in the previous respond:
PS C:\WINDOWS\system32> "URL Address" | Test-ServerSSLSupport
HashAlgorithm : Sha384
KeyExhange : 44550
TLSv1_1 : False
SSLv3 : False
Host : URL Address
SSLv2 : False
Port : 443
TLSv1_0 : False
TLSv1_2 : TrueI believe that Win Server 2019 Certificate Services has the ability to issue certificate in TLS 1.2. I just don't know how to do this. Are there any specific config within the Certificate Services to do this, or enforce it?
Thank you.