When a client computer tries to establish server-authenticated Secure Sockets Layer (SSL) connections with an Internet Information Services (IIS) Web server, the server certificate chain is validated on the client computer. For this certificate validation to complete successfully, the intermediate certificates in the server certificate chain must be configured correctly on the server. If these certificates are configured incorrectly, the server authentication may fail. This also applies to any program that uses SSL/ Transport Layer Security (TLS) for authentication.
ImpactClient computers cannot connect to the server that is running IIS. This occurs because the client computers cannot authenticate the servers that do not have intermediate certificates that are configured correctly.
RecommendationCorrectly configure the intermediate certificates on the server. For more information, see the "More information" section.
Technical detailsX.509 certificate validation consists of several phases. These phases include certificate path discovery and path validation.
As part of certificate path discovery, the intermediate certificates must be located to build the certificate path up to a trusted root certificate. An intermediate certificate is a certificate that is useful in determining if a certificate was ultimately issued by a valid root certification authority (CA). These certificates can be obtained from the cache or from the certificate store on the client computer. Servers can also provide this information to the client computer.
In the SSL negotiation, the server certificate is validated on the client. In this case, the server provides the certificates to the client computer together with the intermediate issuing certificates that the client computer can use to build the certificate path. The complete certificate chain, except for the root certificate, is sent to the client computer.
IIS determines the set of certificates that it sends to clients for TLS/SSL by building a certificate chain of a configured server authentication certificate in the local computer context. The intermediate certificates must be configured correctly by adding them to intermediate CA certificate store in the local computer account on the server.
If a server operator installs an SSL certificate together with the relevant issuing CA certificates, and then the server operator later renews the SSL certificate, the server operator must make sure that the intermediate issuing certificates are updated at the same time.
How to configure intermediate certificates
- Open the Certificates Microsoft Management Console (MMC) snap-in. To do this, follow these steps:
- At a command prompt, type Mmc.exe.
- If you are not running the program as the built-in Administrator, you will be prompted for permission to run the program. In the Windows Security dialog box, click Allow.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and then click OK.
- In the Certificates snap-in dialog box, click Computer account, and then click Next.
- In the Select computer dialog box, click Finish.
- In the Add or Remove Snap-ins dialog box, click OK.
- To add an intermediate certificate, follow these steps:
- In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point to All Tasks, and then click Import.
- In the Certificate Import Wizard, click Next.
- In the File to Import page, type the file name of the certificate that you want to import in the File name box, and then click Next.
- Click Next, and then complete the Certificate Import Wizard.
For more information about how the CryptoAPI function builds certificate chains and validates revocation status, visit the following Microsoft TechNet Web site:
SupportFor a complete list of Microsoft Customer Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Security resourcesFor more information about security in Microsoft products, visit the following Microsoft TechNet Web site:
DisclaimerThe information that is provided in the Microsoft Knowledge Base article is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Article ID: 954755 - Last Review: May 25, 2009 - Revision: 1