Applies to:
17.3.x and above
Symptom
A certificate pushed to a CAPI application is not binding to the virtual website in IIS and as a result is not validating correctly.
Cause
Only the use of IP addresses and SNI configuration in IIS to link the provisioned certificate to the website and validate it.
Resolution
The customer will need to remove the existing certificate from the CAPI store on the application object, and push the certificate to sync up the settings. Need to make sure that ALL settings match in Venafi TPP and in the CAPI application, specifically the certificate private key exportable settings.
If no FQDN is presented by the client application the customer will need to set up two different bindings in IIS for correct provisioning and validation. The customer will need to set up one binding with FQDN/Hostname and the SNI checkbox enabled and a second binding with IP address.
More Information
You can also apply these Powershell command to further troubleshoot the issue
1.) $binding = $(Get-WebBinding | ? {$.bindingInformation -eq "{IP address}:{port}:{FQDN}" -and $.sslFlags -eq 1}. (To retrieve all bindings in IIS).
2.) $thumbprint = $binding.certificateHash $cert = Get-Item "Cert:\LocalMachine\My\$($thumbprint)". (This is used to find the thumbprint of the certificate.)
3.) $p12bytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType] "Pfx", "{password}"). (To export)
4.) $cert.privatekey (To view private key).
5.) $privKey = [System.Security.Cryptography.RSACryptoServiceProvider]$cert.PrivateKey
$privKey.CspKeyContainerInfo.Exportable (This is to determine if the private key is not exportable.)
Comments