I had the same problem yesterday/today. The certificat chain I imported to the Microsoft Server has been ok. The server certificate is incuded as well as the Let’s Encrypt Authority X3 certificate.
As long as the Let’s Encrypt Authority X1 certificate is in the Certificate Store of my server the IIS delivers (in the chain as intermediate CA) the X1 certificate instead of the X3 certificate.
I had to remove the X1 certificate from the certificate store on my server. Now, it delivers the correct X3 certificate.
I analyzed the certificates X1 and X3 and found the following:
Both certificates have the same “X509v3 Subject Key Identifiers”:
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
You can easily verify that by using openSSL command for both certificates:
openssl x509 -in lets-encrypt-x1-cross-signed.cer -text
openssl x509 -in lets-encrypt-x3-cross-signed.cer -text
Because my Letsencrypt certificate references to this keyId, I assume, the IIS has problems to distinguish between both certificates:
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Hope this helps to find the problem.
3 Likes