Skip to main content

Previously trusted client certificate not longer trusted by IIS

I was getting the following error from iSS when testing locally a web api that requires ssl client certificates:

403.16 The client certificate used for this request is not trusted by the Web server

One way to troubleshoot is to use the certutil tool that comes with Windows. There is a verify switch that you can use to verify the public portion of the client certificate:

certutil -f -urlfetch -verify "public client cert.cer"
The tool will show any errors encountered when validating the cert, such as a failure to lookup the revocation list (CRL) of the issuer.

You can also capture the details of the client certificate, like the subject name, issuer and serial number, by adding custom fields to your IIS log. Instructions are here and the fields are under "Server Variables". 

The specific issue I was having, however, is described in the answer to https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue . I had a Trusted Root cert that was invalid. After removing that cert from the Trusted Root Store at the computer level, the IIS was able to trust my client certificate. The interesting thing was that the Trusted Root cert I removed was not related at all to my client cert, so IIS was basically just failing because of an unrelated cert.

Comments

Post a Comment

Popular posts from this blog

Powershell script for converting JPG to TIFF

The following Powershell script will convert a batch of JPEG files to TIFF format: #This Code is released under MIT license [System.Reflection.Assembly]::LoadWithPartialName("System.Drawing") $files_folder = 'C:\path-where-your-jpg-files-are\' $pdfs = get-childitem $files_folder -recurse | where {$_.Extension -match "jpg"} foreach($pdf in $pdfs) { $picture = [System.Drawing.Bitmap]::FromFile( $pdf.FullName ) $tiff = $pdf.FullName.replace('.PDF','').replace('.pdf','').replace('.jpg','').replace('.JPG','') + '.tiff' $picture.Save($tiff) }
Post a Comment
Read more

Power Automate: SFTP action "Test connection failed"

When I added an SFTP create file action to my Power Automate flow ( https://flow.microsoft.com ) , I got the following error in the action step, within the designer: "Test connection failed" To troubleshoot the Power Automate connection, I had to: go the Power Automate portal then "Data"->"Connections"  the sftp connection was there, I clicked on the ellipsis, and entered the connection info It turns out, that screen provides more details about the connection error. In my case, it was complaining that "SSH host key finger-print xxx format is not supported. It must be in 'MD5' format". I had provided the sha fingerprint that WinScp shows. Instead, I needed to use the MD5 version of the fingerprint. To get that, I had to run in command line (I was in a folder that had openssh in it): ssh -o FingerprintHash=md5 mysftpsite.com To get the fingerprint in MD5 format. I took the string (without the "MD5:" part of the string) and put
Post a Comment
Read more

Alert if file missing using Powershell

The following Powershell script can be used to send an email alert when a file is missing from a folder or it is the same file from a previous check: $path_mask = "yourfile_*.txt" $previous_file_store = "lastfileread.txt" $script_name = "File Check" ###### Functions ########## Function EMailLog($subject, $message) {    $emailTo = "juanito@yourserver.com"    $emailFrom = "alert@yourserver.com"    $smtpserver="smtp.yourserver.com"       $smtp=new-object Net.Mail.SmtpClient($smtpServer)    $smtp.Send($emailFrom, $emailTo, $subject, $message) } Try {    #get files that match the mask    $curr_file = dir $path_mask |  select name    if ($curr_file.count -gt 0)    {        #file found        #check if the file is different from the previous file read        $previous_file = Get-Content $previous_file_store        $curr_file_name = $curr_file.Item(0).Name        if ($
Post a Comment
Read more