IIS and Domain Certificate

Kévin LEONARD 0 Reputation points
2024-04-19T01:45:43.0833333+00:00

Hi,

I am currently in training and working on a LAB (Hyper-V) in a Microsoft environment.

I am encountering an issue with SSL certificate validation on an IIS server running on Windows Server 2019 and 2022 (I have tested both). Two virtual machines, INFRA and IIS, belong to the same domain "LEO.LAN". I generate a "domain certificate" via the IIS Manager and configure the site to enable SSL using this certificate.

Despite the certificate being correctly issued by my internal certification authority (LEO-INFRA-CA) and working without any problems on Internet Explorer, it is not validated by Chrome, Edge, or Firefox with the following errors:

Chrome and Edge: NET::ERR_CERT_COMMON_NAME_INVALID

Firefox: SSL_ERROR_BAD_CERT_DOMAIN

Configuration:

Issuer: CN=LEO-INFRA-CA, DC=LEO, DC=LAN

Subject: CN=iis.leo.lan, OU=IT, O=IT, L=IT, S=IT, C=FR

Friendly Name: iis.leo.lan-cert

Server: IIS on Windows Server 2022

URL: https://iis.leo.lan

I have verified that the common name (CN) is correct and matches the URL.

My research leads me to believe that there seems to be a problem with the Subject Alternative Names (SAN) that might not be specified or misconfigured.

Questions:

  • Are there any additional steps necessary to ensure certificate recognition by all modern browsers?
  • Are there specific configurations on IIS or adjustments to be made on the certificate itself to improve compatibility with modern browsers?
  • How can I effectively check and correct SAN configurations in the issued certificate?

Any help or suggestions would be greatly appreciated to resolve this issue.

Thank you in advance for your support.

Internet Information Services
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,161 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,888 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jing Zhou 2,240 Reputation points Microsoft Vendor
    2024-04-22T06:18:18.5833333+00:00

    Hello,

     

    Thank you for posting in Q&A forum.

    To configure an IIS certificate, you can check the best practice via Microsoft Official Documentation:

    https://learn.microsoft.com/en-us/system-center/scom/configure-https-binding-windows-server-ca?view=sc-om-2022

    Meanwhile, please kindly check the certificate contains SAN correctly. If there's any other domain or sub domain name, please include it inside.

    To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.

    Best regards,

    Jill Zhou

    0 comments
  2. Kévin LEONARD 0 Reputation points
    2024-04-22T11:48:25.1733333+00:00

    Hello,

    I have just set up two VMs (1.INFRA and 2.WEB) with Windows Server 2022.

    I followed the protocol described in the link you provided.

    From INFRA, I can access the default IIS page via SSL without any errors. Thank you very much.

    So, when the CA and IIS are on the same server, it works.

    The certificate deploys correctly across my domain, and https://infra.leo.lab works properly on both INFRA and WEB.

    However,

    On my second IIS (WEB):

    When I generate a domain certificate in the same way as the first (with the selection of the CA based on INFRA), and follow the procedure (the same except that the CA is on INFRA), the browser still displays the error message (on both INFRA and WEB).

    The mystery remains for me.

    The test on INFRA proves that the method works when IIS and CA are on the same server, and the certificates deploy correctly across other machines in the domain. So, why this behavior? Did I miss something ?

    Thank you for your help.

    0 comments