question

DavidBrown-4258 avatar image
0 Votes"
DavidBrown-4258 asked DavidBrown-4258 answered

IIS is not respecting a "Disable For All Purposes" change to a Trusted Root Certificate

As part of an ongoing certificate issue I disabled all purposes for a Trusted Root Certificate.
Next I stopped and started the W3SVC service using net start W3SVC and net start W3SVC from the command line.

However when I run the https://www.ssllabs.com/ page for my site (after clearing the cache) the disabled certificate
is still showing up as a Trusted Root certificate in one of the certification chains the report displays for my site.

IIS is not respecting the configuration change I made. How can I fix this?

windows-server-iis
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

anonymous user-4258

I disabled all purposes for a Trusted Root Certificate.

Can you tell me how did you disable all purposes for a Trusted Root Certificate?

0 Votes 0 ·

Hi, thanks for your reply. Here's how:

  1. Click on Magnifying Glass next to start button

  2. Type in "Certif" in Search Box

  3. Windows shows 2 choices in response to search:
    Manage User Certificates and Manage Computer Certificates.

  4. Click Manage Computer Certificates.

  5. certlm [Certificates - Local Computer] window displayed

  6. Click on <Trusted Root Certification Authorities> node
    in left pane. Object Type > <Certificates> is displayed in
    right pane.

  7. Double click on <Certificates> node to expand.
    8.Right click on individual certificate to display
    context menu.

  8. Click [Properties] from context menu. Properties
    dialog for the cert displays.

  9. On general tab click the "Disable All Purposes for this
    certificate radio button.

  10. Click [Apply] button.

  11. Click [Ok] button.


0 Votes 0 ·
DavidBrown-4258 avatar image
0 Votes"
DavidBrown-4258 answered

I've since seen in 1 of the 39 technical posts I've read trying to resolve my original problem that IIS does not send root certificates in the TLS Server Hello. It only sends domain and intermediate certs and it is up to the client to complete the certificate chain. Therefore disabling all purposes for my root certificate had no effect on the Qualsys Labs page because IIS wasn't going to send that root certificate anyway. After ensuring that I have a valid backup I'm going to repeat my experiment only this time disabling the last intermediate certificate in the chain. I'm hoping that this will force IIS to send another certificate chain that this time will terminate in a root that is trusted by the client.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavidBrown-4258 avatar image
0 Votes"
DavidBrown-4258 answered

Ok, I've disabled the last intermediate certificate in the chain
Here's how:

Click on Magnifying Glass next to start button

Type in "Certif" in Search Box

Windows shows 2 choices in response to search:
Manage User Certificates and Manage Computer Certificates.

Click Manage Computer Certificates.

certlm [Certificates - Local Computer] window displayed

Click on <Intermediate Certification Authorities> node
in left pane. Object Type > <Certificates> is displayed in
right pane.

Double click on <Certificates> node to expand.
8.Right click on individual certificate to display
context menu.

Click [Properties] from context menu. Properties
dialog for the cert displays.

On general tab click the "Disable All Purposes for this
certificate radio button.

Click [Apply] button.

Click [Ok] button.

Run net stop W3SVC then net start W3SVC.

However when I run the https://www.ssllabs.com/ page for my site (after clearing the cache) the disabled certificate
is still showing up as a intermediate certificate in one of the certification chains the report displays for my site.

If I've disabled the intermediate certificate for all purposes then why is IIS sending it as part of the trust chain to identify my domain?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.