Chromium Browsers TLS1.2 Fails with ADCS issued certificate on Server 2012 R2

Solution 1:

Please, make sure your certificate signing request (CSR) is not requesting a certificate that is valid for signing only, rather than signing and encryption. If the CSR ask for a certificate valid only for signing and your CA has a policy that allows for encryption even when the request was signing only, then you will likely see this problem... sometimes. Clearly a certificate requested for signature only shouldn't work at all when used for encryption, but if your CA overrides the request to allow for encryption that will create a situation where encryption will work, but only under circumstances when the client supports a couple specific protocol suites. Identifying certificates causing this problem is complicated.

Try to capture the traffic between the W2012 R2 and Chrome using wireshark. If a protocol negotiation is the issue, you'll see the connection reset by the server immediately after the client suggests a list of cipher suites. This packet from the client will have the info of "client hello" followed immediately with a TCP RST (reset) from the server. If you drill into the details of the "client hello" packet you will be able to see the suites the client is proposing.

To remediate this issue you'll need to make sure that certificate ordered is for the correct purpose (https://docs.microsoft.com/en-us/archive/blogs/pki/how-to-create-a-web-server-ssl-certificate-manually). It's critical to ensure your certificate request has the correct parameters including the certificate usage. If you are using Windows PKI with AD integrated templates, you can "hard code" this in the templates if you like.