IIS is not respecting a "Disable For All Purposes" change to a Trusted Root Certificate

David Brown 96 Reputation points
2021-10-27T17:17:06.18+00:00

As part of an ongoing certificate issue I disabled all purposes for a Trusted Root Certificate.
Next I stopped and started the W3SVC service using net start W3SVC and net start W3SVC from the command line.

However when I run the https://www.ssllabs.com/ page for my site (after clearing the cache) the disabled certificate
is still showing up as a Trusted Root certificate in one of the certification chains the report displays for my site.

IIS is not respecting the configuration change I made. How can I fix this?

Internet Information Services
Accepted answer
  1. David Brown 96 Reputation points
    2021-10-28T13:12:10.723+00:00

    I've since seen in 1 of the 39 technical posts I've read trying to resolve my original problem that IIS does not send root certificates in the TLS Server Hello. It only sends domain and intermediate certs and it is up to the client to complete the certificate chain. Therefore disabling all purposes for my root certificate had no effect on the Qualsys Labs page because IIS wasn't going to send that root certificate anyway. After ensuring that I have a valid backup I'm going to repeat my experiment only this time disabling the last intermediate certificate in the chain. I'm hoping that this will force IIS to send another certificate chain that this time will terminate in a root that is trusted by the client.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Brown 96 Reputation points
    2021-10-28T13:42:29.817+00:00

    Ok, I've disabled the last intermediate certificate in the chain
    Here's how:

    Click on Magnifying Glass next to start button

    Type in "Certif" in Search Box

    Windows shows 2 choices in response to search:
    Manage User Certificates and Manage Computer Certificates.

    Click Manage Computer Certificates.

    certlm [Certificates - Local Computer] window displayed

    Click on <Intermediate Certification Authorities> node
    in left pane. Object Type > <Certificates> is displayed in
    right pane.

    Double click on <Certificates> node to expand.
    8.Right click on individual certificate to display
    context menu.

    Click [Properties] from context menu. Properties
    dialog for the cert displays.

    On general tab click the "Disable All Purposes for this
    certificate radio button.

    Click [Apply] button.

    Click [Ok] button.

    Run net stop W3SVC then net start W3SVC.

    However when I run the https://www.ssllabs.com/ page for my site (after clearing the cache) the disabled certificate
    is still showing up as a intermediate certificate in one of the certification chains the report displays for my site.

    If I've disabled the intermediate certificate for all purposes then why is IIS sending it as part of the trust chain to identify my domain?

    0 comments