I know that it is an old thread but someone can find it useful when finds this searching for an answer.
I had the same error when tried to bind an ECDH_P521 certificate to an IIS site.
I changed the cert to an ECDH_P384 and it works!
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Partially a continuation from https://forums.iis.net/t/1252746.aspx?Getting+hresult+0x8007054F+error+for+any+certificates
Now that the issue narrowed down, I though I'd put it someplace with a better chance of getting an actual bug report filed.
To summarize.
On Windows Server 2019, IIS v10.0, on the Default Web Site, on interface "BINDING : https *:443: "
Using TLS1.2 with an ECDSA521 SHA512 cert
The SSLDiag tool shows everything as valid for a certificate of 1.3.6.1.5.5.7.3.1 Server Authentication
The only error information I can get from SChannel is what's in it's error event. Here are the highlights (see more in linked topic)
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1f678132-5938-4686-9fdc-c8ff68f15c85}" />
<Correlation ActivityID="{51aa0bed-36e1-0001-4b0d-aa51e136d701}" />
<Channel>System</Channel>
<Computer>myserver</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="ErrorState">10018</Data>
</EventData>
</Event>
When turning on verbose logging in SChannel, trying to view informational messages seems to crash event viewer, with this trace:
at Microsoft.ManagementConsole.Internal.SnapInMessagePumpProxy.OnThreadException(Object sender, ThreadExceptionEventArgs e)
at System.Windows.Forms.Application.ThreadContext.OnThreadException(Exception t)
at System.Windows.Forms.Control.WndProcException(Exception e)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.CallWindowProc(IntPtr wndProc, IntPtr hWnd, Int32 msg, IntPtr wParam, IntPtr lParam)
at System.Windows.Forms.NativeWindow.DefWndProc(Message& m)
at System.Windows.Forms.Control.WmMouseDown(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.TabControl.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
When trying to add the cert binding in the IIS bindings interface I get the following UI error prompt: An internal error occurred (Exception from HRESULT: 0x8007054F)
Here are the events that IIS Logs:
IIS-Configuration > Operational:
Changes have successfully been committed to 'MACHINE/WEBROOT/APPHOST'.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@sslFlags' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@bindingInformation' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]/@protocol' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
Changes to '/system.applicationHost/sites/site[@name="Default Web Site" and @id="1"]/bindings/binding[@protocol="https" and @bindingInformation="*:443:"]' at 'MACHINE/WEBROOT/APPHOST' have successfully been committed.
IIS-Configuration > Administrative:
Unable to find schema for config section 'system.serviceModel/tracking'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/extensions'. This section will be ignored.
Unable to find schema for config section 'system.xaml.hosting/httpHandlers'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/serviceHostingEnvironment'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/tracking'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/client'. This section will be ignored.
Unable to find schema for config section 'system.serviceModel/extensions'. This section will be ignored.
And the SSLDiag tool results:
Encryption test passed
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.1 Server Authentication
Certificate is valid
System Time : Thursday, April 22, 2021 11:19:09 AM Eastern Standard Time
Processor Architecture : x64
OS : Microsoft Windows NT 6.2.9200.0
Microsoft Internet Information Services 10.0
SERVER SSL PROTOCOLS
PCT 1.0 : Disabled
SSL 2.0 : Disabled
SSL 3.0 : Disabled
TLS 1.0 : Disabled
SChannel EventLogging : 1 (hex)
-----
[W3SVC/1]
ServerComment : Default Web Site
ServerAutoStart : True
ServerState : Started
BINDING : http *:80:
BINDING : https *:443:
And as mentioned, all SChannel events become unreadable, so I can't get you any more SChannel events.
UPDATE:
I can now read the Schannel events, and right before the undefined error, SChannel logs something interesting:
The TLS server credential's private key has the following properties:
CSP name: Microsoft Software Key Storage Provider
CSP type: 0
Key name: te-!0021WebServer-b64b9b22-aa1a-4425-9f2e-902ae3c4cada
Key Type: N/A
Key Flags: 0x20
Seeing as it says Key Type: N/A
, could that be the cause? Does SChannel not actually support ECDSA521?
I know that it is an old thread but someone can find it useful when finds this searching for an answer.
I had the same error when tried to bind an ECDH_P521 certificate to an IIS site.
I changed the cert to an ECDH_P384 and it works!