Microsoft IIS7 and Google Chrome SSL Certificates

Follow

 

 

You may have noticed new versions of Chrome reject your certificates. There are two reasons:

  1. Your certificate does not have a subject alternative name
  2. Your certificate is signed via SHA1 instead of SHA256 or greater.

 

To help you through this, you need to update your Certificate Authority (CA). Then generate new certificates for your sites that include a SAN.

 

1) Update the CA

To enable subject alternative names and strong encryption, on the CA run:

 

  1. certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
  2. certutil -setreg ca\csp\CNGHashAlgorithm SHA256
  3. net stop certsvc
  4. net start certsvc
  5. Renew your CA signing certificates from CA Certificate Snapin

 

 

2) Web Server w/ GUI

Now generate a new certificate request, but do not submit it through the local MMC snap-in or to an online CA via IIS or you won’t be able to supply a SAN.

 

  1. Create a certificate request
  2. Download and save the file request
  3. Go to the CA/certsrv web site and start an advanced request.
  4. Copy in the contents of the certificate request.
  5. In the attributes field, supply: SAN:dns=SERVER_FQDN_VALUE
  6. Submit the request.
  7. Download the certificate.
  8. Install the certificate to the web host(s).
  9. Set IIS bindings to use the new certificate.

 

 

3) Web Server from CLI (or Core server)

  1. Copy the attached request.inf file and modify and save…
    1. Subject
    2. FriendlyName
    3. 2.5.29.17 _continue_
  2. certreq -new request.inf YOUR_REQUEST_NAME.req
  3. certreq -submit YOUR_REQUEST_NAME.req New_Cert_Name.cer
  4. certreq -accept New_Cert_Name.cer
  5. Set the web server IIS bindings to use the new cert

 

 Sample of Certificate output:

 

[Version] Signature="$Windows NT$"

[NewRequest] Subject="C=US,S=Texas,L=Austin,O=WebServices,OU=WebServers,CN=webserver.domain.com" PrivateKeyArchive=FALSE

Exportable=FALSE

UserProtected=FALSE

MachineKeySet=TRUE

ProviderName="Microsoft RSA SChannel Cryptographic Provider"

ProviderType=12

UseExistingKeySet=FALSE

RequestType=PKCS10

;HashAlgorithm=sha256

KeyLength=2048

KeyUsage = 0xF0 ; Digital Signature, Key Encipherment, Nonrepudiation, Data Encipherment

KeySpec=1

FriendlyName="webserver - 170504"

[EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[Extensions] ; If your client operating system is Windows Server 2008, Windows Server 2008 R2, Windows Vista, or Windows 7 ; SANs can be included in the Extensions section by using the following text format. Note 2.5.29.17 is the OID for a SAN extension.

2.5.29.17 = "{text}"

_continue_ = "dns=webserver.domain.com&"

Was this article helpful?
1 out of 1 found this helpful

Comments

Powered by Zendesk