I proudly present to you the third in a infinite number of posts of “Slippery When Wet.” In these posts I show you a little bastard I stumbled on.
For an Web Application I needed not only to check the user rights but also to limit the the allowed computers. For this I limited the access with a client certificate that has to be installed on the accessing computer.
At the beginning I used a free client certificate from Thawte, as the server certificate was also from them. This certificate was only valid for one year. So I had to renew this certificate every year and all allowed computers had to be updated.
But as Thawte ended their support for the free certificate I needed an other solution. I chose to use a self signed certificate as the client certificate but keep the server certificate from Thawte as on the server were also running other Web Applications that needed https.
So I created the Certification Authority (CA) certificate and a client certificate signed with this CA certificate with openssl. Testing with this certificates worked as it should. But for Testing purposes I used the default values for the validity length. So I created a new CA and a new client certificate with a longer validity period. After removing the testing certificates and installing the new created certificates I thought it will work as before, but the client certificate was not selectable in the client certificate selection dialog of internet explorer.
I tried several things like restarting IE, clearing the SSL cache and cursing. But nothing helped.
Analyzing the communication between client and server with openssl brought the solution: The Internet Information Server (IIS) was still using the old, already removed CA certificate, probably from his cache, but not the new one, maybe because the were named similar. After restarting the IIS on the server the new client certificate was selectable in the client certificate selection dialog of internet explorer.
Conclusion: After removing a (CA) Certificate from the IIS restart it to clear the cache!