IIS Windows 2016 ecdsa signed certificate

Question

Does anyone know if IIS supports certificates signed with sha256ecdsa?

If viewed with openssl, i have the following parameters: Signature Algorithm: ecdsa-with-SHA256 Public Key Info: NIST CURVE: P-384

The problem is with this certificate I can't get a successful TLS handshake. I wonder if the problem is the signature algorithm or the ECDSA curve (both the certificate and the CA use P-384 public keys).

IIS in Windows supports ECC keys for 11 years (since Windows Vista and Windows Server 2008 RTM). There are no algorithm support problems. — Crypt32, Aug 16 '18 at 04:21

score 1 · Accepted Answer · answered Aug 16 '18 at 12:47

The problem was that P384 cipher suits are not enabled by default it seems.

I solved it using GPO with a set "Computer Configuration->Administrative Templates->Network/SSL Configuration Settings->SSL Cipher Suite Order"

I added ciphers such as "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384".

After this it could use the certificate as expected.

IIS Windows 2016 ecdsa signed certificate

1 Answers1