Hi @farismalaeb,

No, I have never use IIS Crypto before which made me hesitance to use this. I don't know exactly what IIS Crypto will make changes on my server that hosts my CA. So I used the backup function and could see it backed up my current registry key. 

It seems safe to use IIS Crypto, so I ran the best practice, and I can see that my server missed a lot of setting. I rebooted the server, and re-issued another cert. However, I still ran the same issue where Chrome won't load the page. The Error Message in Chrome said "The connection to this page is not secure". I don't know what is missing here, or how to specifically to issue cert with TLS 1.2.

@ariefd 

You need to run this tool on the server hosting your webserver (the sites that are not working server) not the CA, or at least start it there and make sure that the protocols such as TLS 1.1/ TLS 1.2 are checked, if not checked then you need to enable them.

Make sure that the generated certificate has a SAN (Subject Alternative Name) as chrome require this, CN is not enough and chrome will "Display warning" but as far as I know wont break the connection.

One more thing to note that Chrome will mark any certificate generated without a SAN as insecure too.

https://security.stackexchange.com/questions/172626/chrome-requires-san-names-in-certificate-when-wi....

Run IISCrypto tool also on the client and check, are TLS 1.1/1.2 version enabled on the client system, maybe the client is dont have TLS 1.2 enabled by default

last thing, please share a screenshot of chrome error you are getting.

Thanks

Hi @farismalaeb,

I have attached the error in Chrome. 

The webserver is actually a part of the application and is working OK, in terms of the TLS 1.2 matter. I could say this as I have done a test. I have a wild card cert issued by Rapid SSL. I tested using this cert and installed it to the web server. I tricked it by creating a new zone in the internal DNS server to use our public domain name. The web server accepted the cert, and Chrome can load the page OK. 

@ariefd 

mmm, it seems that your browser did not reach to the Certificate exchange, as and in the chrome_Error_2 you post, i dont see the certificate menu.

1- Would you please share the IISCrypto screenshot for after running it on both Server, and the client

2- Are you able to browse the site from inside the server.

Hi @farismalaeb,

I have attached the screen shot from IIS Crypto on the server. Sorry, I need to make it clear that the web server is part of a special printer that we use for operations. But, I did test from different computers, and all are behaving the same. Chrome won't load the page.

Hi @farismalaeb,

Sorry for delay in responding back to you. The webserver is embedded and running on special thermal printer. I won't be able to test to access the page from the webserver. I couldn't run the IIS Crypto to. That was the reason I tested by using the wildcard cert issue by RapidSSL. 

Hi @farismalaeb,

I think we have been sidetracked from the original query, as right now we are focusing on the webserver, instead of the Windows Server 2019 Certificate Authority. I strongly believe that the webserver is working and support TLS 1.2. Please refers to the test that I have done by installing wildcard certificate issued by RapidSSL. For test, I have create a temp DNS entry on my host file to point to internal IP Address of the printer. Here is the outcome of the script you suggested in the previous respond:

PS C:\WINDOWS\system32> "URL Address" | Test-ServerSSLSupport

HashAlgorithm : Sha384
KeyExhange : 44550
TLSv1_1 : False
SSLv3 : False
Host : URL Address
SSLv2 : False
Port : 443
TLSv1_0 : False
TLSv1_2 : True

I believe that Win Server 2019 Certificate Services has the ability to issue certificate in TLS 1.2. I just don't know how to do this. Are there any specific config within the Certificate Services to do this, or enforce it? 

Thank you.

@ariefd 

Hi, 

OK, One of the causes which might cause an issue is a Private Key length which is an important factor in the certificate, what is the key length for the certificate, if fewer than1024 would you please generate another certificate with a longer Key.

A certificate containing a public key that is used to encrypt electronic messages, files, documents, or data transmissions, or to establish or exchange a session key for these same purposes.”

TLS is a protocol that uses the certificate and its content to establish a secure connection, and what I see here is not a certificate issue, its a protocol issue.

Please regenerate the certificate with a longer key 2048 at least and let me know the update.

Thanks

Hi @farismalaeb,

Something has come up urgently at work today. About the key length, I created it with 4096 length. That is why I don't understand. 

FYI, I am based in Sydney, Australia. I reckon you are based somewhere in the US with may be 12 hours different.

@ariefd 

I assume that the key length created from your Win2019 SRV is similar to the key length created using the RapidSSL.

I would advise you to use Wireshark to see the steps before the TLS negotiation. 

That will reveal a lot

and yes, I live in UAE, Abu Dhabi :)