IIS complains about missing intermediates

[natiki]

Hi,

• Windows 10 1809 Professional
• IIS 10.0.17763.1
• Have run mkcert -install

Generated my new wildcard certificate as:

 mkcert -pkcs12 "*.ozc.black"

I then go to IIS > Server Certificates and try and import it but am prompted for a password?

What am I missing here? It is not my login password.

[FiloSottile]

The password is “changeit” (for unfortunate legacy PKCS#12 reasons). The output of mkcert should have mentioned it, didn’t it?

[natiki]

@FiloSottile OMG sorry about that, RTFM!!!! It does indeed say that. My apologies for being like a typical user and not reading things.

[FiloSottile]

It’s ok, we all glance over things from time to time :)

[natiki]

Seems IIS now belives there are missing intermediates?

[FiloSottile]

That’s weird, as mkcert does not use intermediates.

The message says “installed”, maybe it wants the root in the system store? In that case running “mkcert -install” might fix it, but that would be a weird requirement.

[natiki]

I had previously run mkcert -intall and it said it had installed it? Re-ran it just to be sure and the response is:

Using the local CA at "C:\Users\{OmittedForSecurity}\AppData\Local\mkcert

and I can see the CA as:

[FiloSottile]

I’m afraid we have to wait for someone who actually dealt with IIS, I have never actually used it.

[CW92]

When using the certificate locally I don't get this issue but when I move it to a VM I get the same error.

Looking at my local machine I have a Certificate created and it is using that (Named "mkcert {Domain}{Username}").

I exported this certificate as .p7b and then imported this on my VM and no longer saw this message pop up in IIS.

[natiki]

My case was Windows 10 running on bare metal.

[CW92]

If you go to MMC > Certificates > Choose the Certificate > Certification Path, does this certificate appear at the top level or as a sub certificate?

[natiki]

Top level

[martinib77]

I'm having the same problem. Did somebody find a solution ?

[CW92]

I'm having the same problem. Did somebody find a solution ?

I am not having the same issue, in Powershell Admin (Don't know if Admin mode is required but I use it for personal preference).

Created a new one running:

• cd ~ (Users Home Drive - In my case C:\Users\Chris)
• mkcert -pkcs12 2021-06-24.localtest.me ("2021-06-24.localtest.me" is the Subject Alternate Name for the certificate)
• mv .\2021-06-24.localtest.me.p12 .\2021-06-24.localtest.me.pfx
• Import into IIS (Password: changeit)
• Add certificate to IIS site through Binding

(Screenshot from Powershell)

When I import my certificate into IIS I am not getting this, looking at the server certification path I have the top as the machine signing the cert (mkcert -install cert) and then "2021-06-24.localtest.me" (My newly created cert). (Screenshot from Certificate)

When I have had issues it is due to the certificate not containing the top level Signing Certificate, if the one generated from mkcert is missing the signing Certificate then this can be exported from MMC.

• Start > Run (Windows Key + R)
• Type MMC /C
• File > Add/Remove Snap-in... (Crtl + M)
• Click Certificates > Click "Add >"
• Select Computer account
• Click Next > Finish
• Click OK
• Expand Certificates > Personal > Certificates
• Right Click the Certificate generated above (In my case 2021-06-24.localtest.me) > All Tasks > Export
• Click Next > Select "Yes" to export Private Key > Next > Make sure "Include all certificates in the certification path if possible" is selected > Click Next > Choose Security Type > Click Next > Select where to export to (with file name) > Click Next > Click Finish
• Import the generated certificate into IIS.

Please let me know if after trying both of these that neither option is working and I will see if I have to do any other steps.

[martinib77]

I did both options.

But the moment i save the Binding on IIS the intermediate certificates error appears.

Viewing the certificate, everything is ok

And when i use Chrome to browse the site, it shows as secured site.

But then , when my app in .NET Core tries to download a file from the site it gives:

---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain

I assume the error is the same that IIS is showing when saving the binding.

[CW92]

I think the issue with .Net Core is It looks like the Subject Alternate Name for the certificate in IIS is "2021-06-24.localtest.me" whereas the binding is localhost which is causing a mismatch preventing the .Net Core application from trusting the certificate.

However I have also found this can be due to the server not trusting the Certificate, to fix this I normally copy the Certificate (and any parents) into Trusted Root CA folder (In MMC) however recently on occasion I have had to add them to Trusted People as well.

[martinib77]

Installing on Trusted Root CA folder (In MMC) solved the issue !

After installing the generated localhost.pfx certificate, IIS doesn't give the warning message anymore, and .NET Core also trust the certificate.

It looks like the Subject Alternate Name for the certificate in IIS is "2021-06-24.localtest.me" whereas the binding is localhost which is causing a mismatch preventing the .Net Core application from trusting the certificate The moment i solve the IIS error, it gives me the name mismatch, but generating again the certificate for localhost solved the problem