SHA256 not working even after hotfixes

Jon Koeter picture Jon Koeter · Dec 22, 2010 · Viewed 14.5k times · Source

Ok, so we have a Windows Server 2003 machine with SP2 and both HOTFIX KB 938397 and KB 968730 installed. When we try to use the SHA2 certificates (SHA256) The following things still happen:

• Such a certificate can be imported in the certificate store, but subsequently it becomes apparent that the signature algorithm is not recognized, and that it is denoted as corrupt, with an invalid digital signature; the same certificate imported under Windows Server 2008 is displayed there with “This certificate is OK”.

• If one approaches a webservice that requires SSL with client authentication certificates (as set in IIS) then a call to a webmethod fails if a client authentication certificate of this type is passed along, with error “403 Forbidden”. If with the call a sha1RSA-certificate is passed along, the webservice does return a substantive result. The call is made from .NET-code, framework 1.1, running on the same server.

Does anyone have any experience with this? Microsoft support is slow, and we need this done by 2011-1-1

Answer

Jon Koeter picture Jon Koeter · Jan 3, 2011

To everyone who has the same problem:

We've had Microsoft do an extensive search for a solution to this problem, but they could only conclude that these certificates could ONLY be supported by the OS to be used as client certificates. If you install the hotfixes, the certificate can indeed be installed and used in (e.g.) IE. The handshake with a server accepting the specific certificate will work fine. Using the certificate for server purposes (like iis or whatever) will NOT work.

Good luck