Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to configure intermediate certificates on a computer that is running IIS for server authentication
Article ID: 954755 - View products that this article applies to.
When a client computer tries to establish server-authenticated Secure Sockets Layer (SSL) connections with an Internet Information Services (IIS) Web server, the server certificate chain is validated on the client computer. For this certificate validation to complete successfully, the intermediate certificates in the server certificate chain must be configured correctly on the server. If these certificates are configured incorrectly, the server authentication may fail. This also applies to any program that uses SSL/ Transport Layer Security (TLS) for authentication.
ImpactClient computers cannot connect to the server that is running IIS. This occurs because the client computers cannot authenticate the servers that do not have intermediate certificates that are configured correctly.
RecommendationCorrectly configure the intermediate certificates on the server. For more information, see the "More information" section.
Technical detailsX.509 certificate validation consists of several phases. These phases include certificate path discovery and path validation.
As part of certificate path discovery, the intermediate certificates must be located to build the certificate path up to a trusted root certificate. An intermediate certificate is a certificate that is useful in determining if a certificate was ultimately issued by a valid root certification authority (CA). These certificates can be obtained from the cache or from the certificate store on the client computer. Servers can also provide this information to the client computer.
In the SSL negotiation, the server certificate is validated on the client. In this case, the server provides the certificates to the client computer together with the intermediate issuing certificates that the client computer can use to build the certificate path. The complete certificate chain, except for the root certificate, is sent to the client computer.
IIS determines the set of certificates that it sends to clients for TLS/SSL by building a certificate chain of a configured server authentication certificate in the local computer context. The intermediate certificates must be configured correctly by adding them to intermediate CA certificate store in the local computer account on the server.
If a server operator installs an SSL certificate together with the relevant issuing CA certificates, and then the server operator later renews the SSL certificate, the server operator must make sure that the intermediate issuing certificates are updated at the same time.
How to configure intermediate certificates
For more information about how the CryptoAPI function builds certificate chains and validates revocation status, visit the following Microsoft TechNet Web site:
SupportFor a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMSNote In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Security resourcesFor more information about security in Microsoft products, visit the following Microsoft TechNet Web site:
DisclaimerThe information that is provided in the Microsoft Knowledge Base article is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.