0x800b0110 ("The certificate is not valid for the requested usage".) Error in IIS 8 Windows server 2012

Question

In the Server

I have configured a intermediate certificate .pfx file in the IIS and created a https (443) port using binding option. I use certificate for Authorisation also I am expecting a client certificate from the client , I enabled the Require SSL and clien certificate required option in the IIS.

I checked the Intermediate certificate authorities for the root certificate and they also presents, checked the .pfx file installed in the certificate store (Local Machine) also presents.

I created .cer file from the above .pfx file with include private key option and shared the .cer file with my client and he has to attach the .cer file for authorisation .

Above is the REST wcf service with POST.

In the Client Side

I tested this application after getting the .cer file, attach that to my request in my client.exe and calling the service - it returns .403 fobidden error.

In the IIS log it is logged as 403.16 , sc-win32-status code = 2148204816 error

Please help me my above approach is correct and how to avoid this error.

Is configuring CTL is the option , or I need to get a separate client certificate for use from my client side.

Answer 1

You need to make small steps to debug this.

1. First import SSL server certificate to LocalMachine\My store. Verify that certificate is trusted (by double-clicking it and verifying chain).
2. Setup SSL binding in IIS. Verify that you can access the https site (even WCF service gives some documentation page on http/s).
3. Import client certificate in client CurrentUser\My store. Verify that certificate is trusted (by double-clicking it and verifying chain).
4. Set SSL require mode on your WCF service on IIS. Verify that when you access https site of the WCF service a certificate is prompted and no trust error is returned (again, the documentation page should be displayed)

Server certificate must have Server Authentication extension. Client certificate must have Client Authentication extension in it. Client has to trust server certificate. Server has to trust Client certificate. This means that CRLs from both chains must be reachable.