Hi All,
I've been working on a certificate issue for a while now and I'm struggling to make ends meet regarding where this is failing.
Here is the low down on the environment:
1. Web IIS Server and Active Directory are two separate VMs running Windows Server 2008 R2.
2. Web IIS Server is running Web Applications that require TLS/SSL forced (non-SSL protocols (http) is not allowed). The Web IIS Server is also the CA for the domain (POC Environment).
3. The web applications on the Web IIS Server can query Active Directory using LDAPS (Forced) implying that the AD Server has the relevant root certificate installed in the "private" directory and that it is working correctly. (Great news).
Advanced Information: (domain names sanitized)
1. The AD server FQDN is ad01.lab.com
2. The Web Server (CA) FQDN is web01.lab.com
The process I used in creating the certificate to be used on the IIS Web Sites is identified below (Websites are serviced from web01.lab.com)
1. I Created a certificate request within the website certificate manager (Certificate Request).
2. The certificate name scribed in to the certificate was "web01.lab.com" with the remaining information being relevant to the domain (friendly name scribed as web01)
3. The request was then imported in to the domains CA where it was verified. I then selected the relevant certificate and issued it. CA Issued folder increased by one certificate and I exported it including private key.
4. Within IIS I then imported the certificate and it appeared within IIS. I then selected the website and binded the newly created certificate to the https port (restarting IIS services).
The Issue:
1. When I browse to the website on https://web01.lab.com/Test1 (Test1 refers to the web page I'm accessing) I get a certificate is not valid error.
2. When clicking the certificate icon and reviewing the details, the below is what I see;
*. The certificate issued by ad.lab.com-CA is trusted (This certificate is intended for the following purposes(s) * Ensures the identity of the remote computer (issued to: web01.lab.com).
*. Under certificate path, both the client certificate and the root certificate are trusted. (No errors on either of the certificates in the chain).
Certification path:
ad01.lab.com-CA (Not FQDN) - Status: This certificate is OK (implying it is in the trusted root directory)
web01.lab.com (Child certificate is representing FQDN) - Status: This certificate is OK (Implying it is installed within the right directory).
I am navigating to the website from the source using the below URL:
https://ss.web01.lab.com/Test1
I am then redirected to the web page but images aren't loading and the certificate isn't trusted from the Root CA.
At this point I'm a bit lost as to what is going wrong - What fundamental have I missed? I'm not a certificate expert by any stretch of the imagination but in the process of learning. What am I missing in the above scenario?
Please be mindful that I have a firewall separating application zone (AD Server) from the web zone (Web Zone) and also separation between the Web Zone and the Database Zone.
Firewall Rules:
1. Web and SQL servers are on the domain and communicating happily through the firewall using Windows Domain standard ports.
2. AD and SQL servers have HTTP and HTTPS opened up to the Web server to request certificates if required (using Windows CA Web Request service).
3. External users have access to the Web Application (IIS instance on HTTPS) through the firewall and can recover the web page using IP or by DNS name (web01.lab.com\Test1) (Host file for the mean time and once working will end up being set in internal DNS).
Can somebody please advise where I should be looking from this point? If the certificates are coming up OK on the client connecting yet the certificate is being seen as untrusted still, I'm confused as to what the issue is. I suspect personally that its an issue with how I'm calling the web page. IIS has been configured to listen to * on https and not a specific IP address - would this matter?
Any expert guidance on where I went wrong would be hugely appreciated.
Thanks in advance,
Andrew