Follow

Issue: When provisioning to a CAPI application the hostname binding is not being set in IIS

Applies to:

17.3.x and above

Symptom

A certificate pushed to a CAPI application is not binding to the virtual website in IIS  and as a result is not validating correctly.   

Cause

Only the use of IP addresses and SNI configuration in IIS to link the provisioned certificate to the website and validate it. 

 

Resolution 

The customer will need to remove the existing certificate from the CAPI store on the application object, and push the certificate to sync up the settings. Need to make sure that ALL settings match in Venafi TPP and in the CAPI application, specifically the certificate private key exportable settings.

If no FQDN is presented by the client application the customer will need to set up two different bindings in IIS for correct provisioning and validation. The customer will need to set up one binding with FQDN/Hostname and the SNI checkbox enabled and a second binding with IP address.

More Information

You can also apply these Powershell command to further troubleshoot the issue

1.) $binding = $(Get-WebBinding | ? {$.bindingInformation -eq "{IP address}:{port}:{FQDN}" -and $.sslFlags -eq 1}. (To retrieve all bindings in IIS).

2.) $thumbprint = $binding.certificateHash $cert = Get-Item "Cert:\LocalMachine\My\$($thumbprint)". (This is used to find the thumbprint of the certificate.)

3.) $p12bytes = $cert.Export([System.Security.Cryptography.X509Certificates.X509ContentType] "Pfx", "{password}"). (To export)

4.) $cert.privatekey (To view private key).

5.) $privKey = [System.Security.Cryptography.RSACryptoServiceProvider]$cert.PrivateKey
$privKey.CspKeyContainerInfo.Exportable (This  is to determine if the private key is not exportable.)

Was this article helpful?
0 out of 0 found this helpful

Comments