When a client computer tries to establish server-authenticated Secure Sockets Layer (SSL) connections with an Internet Information Services (IIS) Web server, the server certificate chain is validated on the client computer. For this certificate validation to complete successfully, the intermediate certificates in the server certificate chain must be configured correctly on the server. If these certificates are configured incorrectly, the server authentication may fail. This also applies to any program that uses SSL/ Transport Layer Security (TLS) for authentication.
ImpactClient computers cannot connect to the server that is running IIS. This occurs because the client computers cannot authenticate the servers that do not have intermediate certificates that are configured correctly.
RecommendationCorrectly configure the intermediate certificates on the server. For more information, see the "More information" section.
Technical detailsX.509 certificate validation consists of several phases. These phases include certificate path discovery and path validation.
As part of certificate path discovery, the intermediate certificates must be located to build the certificate path up to a trusted root certificate. An intermediate certificate is a certificate that is useful in determining if a certificate was ultimately issued by a valid root certification authority (CA). These certificates can be obtained from the cache or from the certificate store on the client computer. Servers can also provide this information to the client computer.
In the SSL negotiation, the server certificate is validated on the client. In this case, the server provides the certificates to the client computer together with the intermediate issuing certificates that the client computer can use to build the certificate path. The complete certificate chain, except for the root certificate, is sent to the client computer.
IIS determines the set of certificates that it sends to clients for TLS/SSL by building a certificate chain of a configured server authentication certificate in the local computer context. The intermediate certificates must be configured correctly by adding them to intermediate CA certificate store in the local computer account on the server.
If a server operator installs an SSL certificate together with the relevant issuing CA certificates, and then the server operator later renews the SSL certificate, the server operator must make sure that the intermediate issuing certificates are updated at the same time.
How to configure intermediate certificates
- Open the Certificates Microsoft Management Console (MMC) snap-in. To do this, follow these steps:
- At a command prompt, type Mmc.exe.
- If you are not running the program as the built-in Administrator, you will be prompted for permission to run the program. In the Windows Security dialog box, click Allow.
- On the File menu, click Add/Remove Snap-in.
- In the Add or Remove Snap-ins dialog box, click the Certificates snap-in in the Available snap-ins list, click Add, and then click OK.
- In the Certificates snap-in dialog box, click Computer account, and then click Next.
- In the Select computer dialog box, click Finish.
- In the Add or Remove Snap-ins dialog box, click OK.
- To add an intermediate certificate, follow these steps:
- In the Certificates MMC snap-in, expand Certificates, right-click Intermediate Certification Authorities, point to All Tasks, and then click Import.
- In the Certificate Import Wizard, click Next.
- In the File to Import page, type the file name of the certificate that you want to import in the File name box, and then click Next.
- Click Next, and then complete the Certificate Import Wizard.
For more information about how the CryptoAPI function builds certificate chains and validates revocation status, visit the following Microsoft TechNet Web site: