Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IIS complains about missing intermediates #148

Open
natiki opened this issue Mar 13, 2019 · 17 comments
Open

IIS complains about missing intermediates #148

natiki opened this issue Mar 13, 2019 · 17 comments
Labels
help wanted Extra attention is needed Windows Requires Windows expert

Comments

@natiki
Copy link

natiki commented Mar 13, 2019

Hi,

  • Windows 10 1809 Professional
  • IIS 10.0.17763.1
  • Have run mkcert -install

Generated my new wildcard certificate as:

 mkcert -pkcs12 "*.ozc.black"

I then go to IIS > Server Certificates and try and import it but am prompted for a password?

image

What am I missing here? It is not my login password.

@FiloSottile
Copy link
Owner

The password is “changeit” (for unfortunate legacy PKCS#12 reasons). The output of mkcert should have mentioned it, didn’t it?

@natiki
Copy link
Author

natiki commented Mar 13, 2019

@FiloSottile OMG sorry about that, RTFM!!!! It does indeed say that. My apologies for being like a typical user and not reading things.

@natiki natiki closed this as completed Mar 13, 2019
@FiloSottile
Copy link
Owner

It’s ok, we all glance over things from time to time :)

@natiki
Copy link
Author

natiki commented Mar 13, 2019

Seems IIS now belives there are missing intermediates?

image

@natiki natiki reopened this Mar 13, 2019
@FiloSottile
Copy link
Owner

That’s weird, as mkcert does not use intermediates.

The message says “installed”, maybe it wants the root in the system store? In that case running “mkcert -install” might fix it, but that would be a weird requirement.

@natiki
Copy link
Author

natiki commented Mar 13, 2019

I had previously run mkcert -intall and it said it had installed it? Re-ran it just to be sure and the response is:

Using the local CA at "C:\Users\{OmittedForSecurity}\AppData\Local\mkcert

and I can see the CA as:

image

@FiloSottile
Copy link
Owner

I’m afraid we have to wait for someone who actually dealt with IIS, I have never actually used it.

@FiloSottile FiloSottile changed the title Cannot add newly generated certificate to person store in IIS... IIS complains about missing intermediates Mar 13, 2019
@FiloSottile FiloSottile added the help wanted Extra attention is needed label Mar 13, 2019
@CW92
Copy link

CW92 commented May 1, 2019

When using the certificate locally I don't get this issue but when I move it to a VM I get the same error.

Looking at my local machine I have a Certificate created and it is using that (Named "mkcert {Domain}{Username}").

I exported this certificate as .p7b and then imported this on my VM and no longer saw this message pop up in IIS.

@natiki
Copy link
Author

natiki commented May 1, 2019

My case was Windows 10 running on bare metal.

@CW92
Copy link

CW92 commented May 1, 2019

If you go to MMC > Certificates > Choose the Certificate > Certification Path, does this certificate appear at the top level or as a sub certificate?

@natiki
Copy link
Author

natiki commented Jun 19, 2019

Top level
image

@FiloSottile FiloSottile added the Windows Requires Windows expert label Aug 17, 2019
@martinib77
Copy link

I'm having the same problem. Did somebody find a solution ?

@CW92
Copy link

CW92 commented Jun 24, 2021

I'm having the same problem. Did somebody find a solution ?

I am not having the same issue, in Powershell Admin (Don't know if Admin mode is required but I use it for personal preference).

Created a new one running:

  • cd ~ (Users Home Drive - In my case C:\Users\Chris)
  • mkcert -pkcs12 2021-06-24.localtest.me ("2021-06-24.localtest.me" is the Subject Alternate Name for the certificate)
  • mv .\2021-06-24.localtest.me.p12 .\2021-06-24.localtest.me.pfx
  • Import into IIS (Password: changeit)
  • Add certificate to IIS site through Binding

(Screenshot from Powershell)
image

When I import my certificate into IIS I am not getting this, looking at the server certification path I have the top as the machine signing the cert (mkcert -install cert) and then "2021-06-24.localtest.me" (My newly created cert).
(Screenshot from Certificate)
image

When I have had issues it is due to the certificate not containing the top level Signing Certificate, if the one generated from mkcert is missing the signing Certificate then this can be exported from MMC.

  • Start > Run (Windows Key + R)
  • Type MMC /C
  • File > Add/Remove Snap-in... (Crtl + M)
  • Click Certificates > Click "Add >"
  • Select Computer account
  • Click Next > Finish
  • Click OK
  • Expand Certificates > Personal > Certificates
  • Right Click the Certificate generated above (In my case 2021-06-24.localtest.me) > All Tasks > Export
  • Click Next > Select "Yes" to export Private Key > Next > Make sure "Include all certificates in the certification path if possible" is selected > Click Next > Choose Security Type > Click Next > Select where to export to (with file name) > Click Next > Click Finish
  • Import the generated certificate into IIS.

Please let me know if after trying both of these that neither option is working and I will see if I have to do any other steps.

@martinib77
Copy link

I did both options.

But the moment i save the Binding on IIS the intermediate certificates error appears.

ie-message

Viewing the certificate, everything is ok

certificate-path

And when i use Chrome to browse the site, it shows as secured site.

secured-site

But then , when my app in .NET Core tries to download a file from the site it gives:

---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain

I assume the error is the same that IIS is showing when saving the binding.

@CW92
Copy link

CW92 commented Jun 24, 2021

I think the issue with .Net Core is It looks like the Subject Alternate Name for the certificate in IIS is "2021-06-24.localtest.me" whereas the binding is localhost which is causing a mismatch preventing the .Net Core application from trusting the certificate.

However I have also found this can be due to the server not trusting the Certificate, to fix this I normally copy the Certificate (and any parents) into Trusted Root CA folder (In MMC) however recently on occasion I have had to add them to Trusted People as well.

@martinib77
Copy link

Installing on Trusted Root CA folder (In MMC) solved the issue !

Trusted Root CA folder

After installing the generated localhost.pfx certificate, IIS doesn't give the warning message anymore, and .NET Core also trust the certificate.

It looks like the Subject Alternate Name for the certificate in IIS is "2021-06-24.localtest.me" whereas the binding is localhost which is causing a mismatch preventing the .Net Core application from trusting the certificate
The moment i solve the IIS error, it gives me the name mismatch, but generating again the certificate for localhost solved the problem

@cam-m
Copy link

cam-m commented Dec 11, 2024

I've just hit this issue.

The problem is that 'mkcert -install' is installing the root CA cert in the Current User Store, and IIS is using the Machine (Local Computer) Store.

When the localhost cert is installed in IIS this puts it in the Machine Store - the CA Cert is missing from the chain because its in a different store - the Current User Store.

Fixing #550 would likely address this issue more permanently, but the workaround is to just export the root CA cert from the Current User Store (certmgr) and import it into Trusted Root Certification in the Local Computer Store (certlm).

Worked for me (Windows 11)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed Windows Requires Windows expert
Projects
None yet
Development

No branches or pull requests

5 participants