Skip to main content

Previously trusted client certificate not longer trusted by IIS

I was getting the following error from iSS when testing locally a web api that requires ssl client certificates:

403.16 The client certificate used for this request is not trusted by the Web server

One way to troubleshoot is to use the certutil tool that comes with Windows. There is a verify switch that you can use to verify the public portion of the client certificate:

certutil -f -urlfetch -verify "public client cert.cer"
The tool will show any errors encountered when validating the cert, such as a failure to lookup the revocation list (CRL) of the issuer.

You can also capture the details of the client certificate, like the subject name, issuer and serial number, by adding custom fields to your IIS log. Instructions are here and the fields are under "Server Variables". 

The specific issue I was having, however, is described in the answer to https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue . I had a Trusted Root cert that was invalid. After removing that cert from the Trusted Root Store at the computer level, the IIS was able to trust my client certificate. The interesting thing was that the Trusted Root cert I removed was not related at all to my client cert, so IIS was basically just failing because of an unrelated cert.

Comments

Post a Comment

Popular posts from this blog

Mail labels and letter templates for jasperreports

The following are free (MIT license) mailing labels and letter templates for jasperreports that you can download and use in jasperserver and/or ireport: Update 3/15/2011 : I moved the Mail templates zip file here . Please consider making a small donation if the templates are of help to you, Thank you! If you need more information on how to use those templates please leave a comment in the blog.
14 comments
Read more

How to create online multiplayer HTML5 games in Contruct2

  Construct2 can use websockets to send and receive messages between games. By using socket-io , we can use a Node.js script as the server and my modification to the socket-io plugin for Construct2 to allow the games to synchronize data between them in real-time. There are two parts to this design: the Node.js server and the Construct2 clients (the games playing). The main part of building an online multiplayer HTML5 game is to plan: how the clients will communicate how often and what to communicate how much of the logic will go into the server and how much to the client. In my sample game, I chose to have each client own a player and have the server just relay messages: Use string messages in the form TypeOfMessage, Parameter1, Paremeter2, Parater3, etc to communicate. Have the clients send their player position about 16 times a second. Whenever their player shoots, the client needs to send a message immediately. Almost all of the game logic will...
9 comments
Read more

Send Email from C# using Outlook's COM late binding

The following sample code shows how to send emails from Outlook and Exchange using C#. This code works with any version of Outlook because it uses Late Binding to automate Outlook. Parts of the code where taken from other websites. using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Reflection; using System.Threading; namespace LateBindingTest { class OutlookEmailerLateBinding { private object oApp; private object oNameSpace; private object oOutboxFolder; public OutlookEmailerLateBinding() { Type outlook_app_type; object[] parameter = new object[1]; //Get the excel object outlook_app_type = Type.GetTypeFromProgID("Outlook.Application"); //Create instance of excel oApp = Activator.CreateInstance(outlook_app_type); //Set the parameter which u want to set parameter[0] = "MAPI...
5 comments
Read more