All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WoSign cert on IIS
Anybody using a WoSign cert on IIS? If so, does https://www.ssllabs.com/ssltest show multiple trusted paths?
My cert on Apache lists 3 paths, and sites using the cert work fine on Apple devices. My cert on IIS only lists 1 path, and Apple devices complain about it being untrusted because the StartCom path isn't there.
Originally I created my pfx using the "for IIS" files. After discovering this problem I went and created a new pfx using the exact same files that are working on Apache, but still no love for Apple.
Here's the command I'm using:
sudo openssl pkcs12 -export -out wosign.pfx -inkey /etc/apache2/ssl/wosign-private.key -in /etc/apache2/ssl/wosign.crt -certfile /etc/apache2/ssl/wosign-root-bundle.crt
Not sure if I'm doing something wrong creating the .pfx file, or importing to the Windows server, or what. Any suggestions are welcomed!
Comments
I'm using IIS 8.5 (Server 2012R2) and after disabling both WoSign root certificates (Certification Authority of WoSign and Certification Authority of WoSign G2, not sure if it is necessary to disable that "G2" certificate) IIS started to send other paths too.
Yes, I know. There is no logic in this. But after disabling those root certs, SSL Server Test (SSL Labs) gives me this.
Make sure, that you have both of those StartCom certificates listed above installed in "Trusted Root Certification Authorities" certificate store and all other "middle" certificates in "Intermediate Certification Authorities". Use fingerprints to help identifying right certs. If you are missing StartCom root certs, you can get them from here: https://www.startssl.com/certs/
Reboot your server. Restarting IIS is not enough.
I read someone else talking about disabling an existing root cert (COMODO in their case), so I tried that, but didn't think to reboot after. Before rebooting for that change I also installed the ca-sha2.crt that was missing, and also moved the two WoSign certificates out of Personal and into Intermediate as you suggested.
Some combination of all that, plus a reboot, did the trick! So thanks!
Glad that it worked out.
You may want to also disable automatic updating of root certificates. I've read somewhere that Windows may enable disabled certificates again during Windows Update, if there is root certificate update in Windows Update. I'm not sure if that affects W2012R2 too, but if you don't disable root cert updates and Wiindows starts again sending only one trust path, that's is most likely what happened. It's easy to fix though, just disable WoSign roots again. Annoying fix, since it needs reboot.
Info about disabling root cert updates: http://toastergremlin.com/?p=144
Server reboot is required (as far as I know) because Windows is using the same "cryptographic subsystem" in everywhere where it needs secured connections, (Internet Explorer, , AD commincations, IIS, VPN connections, etc..) so you have to know right services to restart. I don't know right services and I'm too lazy to find out. Rebooting is easier.
Thanks for the heads up on the possible re-enabling. I have a process that watches for changes to my firewall rules or RAID status changes, so I've updated that to now also check the WoSign root cert. So now if it gets re-enabled in the future within 5 minutes it'll be re-disabled.
Of course then a reboot is still required after it runs, but unless it happens often enough to be troubling I'm too lazy to figure out which services to restart too and will just stick to the reboot
@paavoris Just to follow up...I woke up this morning to a notification from my server monitor indicating it had re-disabled the WoSign root cert. Going to the server I found this in my event log:
Successful auto property update of third-party root certificate:: Subject: <CN=Certification Authority of WoSign, O=WoSign CA Limited, C=CN> Sha1 thumbprint: .
28 seconds prior to that was "The Software Protection service has started.", so it seems like it's not just Windows Update that may modify your root certs.
The good news is the cert was still working fine without needing a reboot. I guess Microsoft doesn't know which services to restart to make the changes to their cert active either :-)
Thanks for the info.