IIS web server works with certificates issued from EE-GovCA2018 chain (updated 15.11.2019)


Today Microsoft released updates to its version of Windows Server, where certificates issued from the EE-GovCA2018 chain are working as expected and the IIS web server issue is resolved. The versions that were updated are Windows Server 2019, 2016 and 1903.

Previously, the problem was that the new certificates issued from the EE-GovCA2018 chain cannot authenticate against IIS web services using different web browsers.

This issue was caused by the implementation of Microsoft RFC 5246.

Microsoft has released updates to Windows Server where these improvements have been made and can be successfully authenticated through browsers.

  • For Windows Server 2016 (LTSC), update KB4516061 fixes the issue
  • For Windows Server 2019 (LTSC), update KB4520062 fixes the issue
  • For Windows Server 1903 (SAC), KB4524570 fixes the issue

Additionally, Microsoft announced that the Windows Server 2012 and 2012R2 versions will unfortunately not be patched because these versions are not included in mainstream support products. Here we recommend upgrading to newer versions of web server versions, or using other web browsers (Internet Explorer, Microsoft Edge, Mozilla Firefox) for newer ID cards.

More information on setting up ID card support for the IIS web server and a description of the problem can be found here.

More info [email protected].