I’m serving a clientele (banks) that tends have fairly old versions of both browsers and Windows. I’ve been able to install LE (hat’s off - it was a piece of cake) but I’m concerned that I am able to log how many of my visitors do not have the client-side cert already installed. My IIS server is configured to auto-forward any http requests to https - so I might be locking out some users. How will this show up in my logs?
@ahaw021, although it’s not what @amSteve asked about, some clients could also fail to connect because of obsolete ciphersuites or something, so that might also be worth looking at.
@amSteve, as @ahaw021 alludes to, there are intermediate certificates in the PKI system that show that a root CA has delegated its authority to an intermediate CA and allowed that intermediate CA to issue trusted certificates. Let’s Encrypt is in this position with respect to the root CA IdenTrust. Currently this intermediate certificate reflects that relationship:
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
It’s not a best practice to hard-code this in your configuration because it might change it in the future, but you should also have gotten a copy of this certificate when your end-entity certificates were issued using a Let’s Encrypt client application. If it’s configured in your IIS server, clients that trust IdenTrust should also accept Let’s Encrypt certs, again, unless they have a cryptographic incompatibility.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.