Renew DST Root CA X3 on IIS?

Hi there, hope you are all doing fine.

As you know, from the last 30th September this cert doesnt work on old devices and i've received a lot of complains of our customers about that they cannot use some applications.

I've asked them to renew the cert manually on their computers but I would like to know if there's any way to renew the cert manually on the IIS server so we can avoid customers to have to install a cert by themselves.

Is there any way to update that cert? I've tried to install some from this link but seems as it doesnt work.

Hope you can help me,

thanks a lot.

1 Like

Welcome to the forums, @Ecoit. I think your understanding of the situation is a bit confused. Let me try to clarify.

There is no way to un-expire or renew the actual DST Root CA X3 cert that expired. When ACME clients request a new certificate from Let's Encrypt, the default chain that is returned with that certificate contains a cross-signed copy of the ISRG Root X1 certificate signed by that now expired DST root on purpose to retain compatibility with old Android clients because they don't care that the DST root is expired and they don't trust the newer ISRG root because they're no longer receiving updates.

In addition to the default chain, ACME clients can request and use an alternate chain that does not include any references to the DST root, but requires that clients already trust the ISRG root.

The default/alternate chain situation is unfortunately more complicated on Windows servers because IIS does not allow any control over which chain is served with a leaf certificate. It cedes control of the chain building to the underlying OS which does care that the DST root is expired and will only serve the alternate (aka "short", aka non-old-android-compatible) chain without additional tinkering in the Windows certificate stores.

So if you're running a website on IIS without any sort of reverse proxy in front of it and you need to support old Android users, you have a few options:

  • (Easiest) Switch to a different ACME CA that provides certs still compatible with the Android version you're targeting.
  • (Hacky/Unsupported) Tweak the Windows cert stores in such a way that it forces the OS to pick the long chain. (Guide)
  • Use an alternative Windows based web-server that doesn't rely on the OS to do chain building.
  • Add a Linux-based reverse proxy that sits in front of your IIS server, terminates the TLS connections , and allows better control over which chain is being served.
  • Use a service like Cloudflare that also acts as a reverse proxy
9 Likes

Hi,

Thanks a lof for the answer.

On my website I dont have users using old android devices, i'm thinking more about windows xp or windows 7 or even some not updated computers.

From september i've told our customers to manually install the cert here Chain of Trust - Let's Encrypt and in that cases, these computers works again on my website, but I'd like to know if there's any way to avoid this and do it from the server.

Thanks a lot again.

1 Like

Not possible.
If the clients don't update their root trust stores, they can't trust any newer roots.
Web browsers will always ignore all roots being sent by web servers (unless already trusted).

Rudy is correct for Let's Encrypt and in general.

But, as rmbolger noted, you could switch to a different CA that would already be trusted by your client base.

1 Like

But that won't stop an outdated Win7 from complaining about the remaining 230M LE sites!
LOL

1 Like

No, it would not ! :slight_smile: (just one less than 230M!)

1 Like

thanks all for your help, really appreciated!

1 Like