IIS no longer trusts any CAs for client authentication
Solution 1:
I've faced the same problem, I finally figured out the site was working correctly, but was tricked by the openssl message (which is just negotiation)
The correct steps are:
- Set IIS SSL bindings up correctly
netsh http show sslcertand copy the valuesOverwrite server SSL certificate binding with
netsh http update sslcert ipport=0.0.0.0:443 certhash=.... appid=.... sslctlstorename=ClientAuthIssuer clientcertnegotiation=enable(ornetsh http deletefollowed with thenetsh http add)Verified that settings were applied with
netsh http show sslcert(Windows 2012 R2 only) Set
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerListto 1
The clientcertnegiotiation is needed to show the list to browsers/openssl, with it disabled a well configured client can still send the correct certificate.
Solution 2:
I have had the same problem before, and it seemed to happen after a windows update. It has happened to me more than once. (Server 2003 and Server 2008). I struggled to find a proper solution for self signed certificates. I often wondered if the machine key changed, or change in algorithm? Is that even possible after windows update? Once we found the anti-virus causing problems, so I would check that , especially those with all the "anti-spy" / "Safe Internet Browser" and "Malware" features - AVG guilty here.
Anyway, What we would do was re-create certificates , and re-install on local machines -small client base so easy to roll out. The best solution was the use of a "cheap" wild card certificate for Build, Test and Staging servers. The wildcard cert saved a lot of time, and was useful for "spontaneous" client demos.