About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (2024)

So you want your site to be available over secure HTTP and you already know that you need an SSL certificate. Still, many things can go wrong. I’m not going to document a specific error; rather I’d say how SChannel, TLS, keys and CAPI fit in, and where to look for problems.

Because we set the HTTPS binding and certificate for a site in IIS Manager, we might be tempted to think that IIS is managing the Secure Channel, or SChannel, through which HTTP traffic takes place. But that’s wrong. IIS Manager is going to configure the HTTP.SYS driver, specifying the certificates to be used for HTTPS traffic. And then, HTTP.SYS is going to take care of the TLS channel for HTTPS communication. Look:

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (1)IIS sits on top of HTTP.SYS, which in turn relies on SChannel provider for HTTPS communication

Before any HTTPS traffic can happen, a TLS SChannel has to be established. Then, through that channel, normal HTTP requests and responses would travel. The secure channel is initiated by HTTP.SYS, which sits below IIS. If the SChannel fails, then requests don’t reach to IIS, they will not show up in IIS logs. With SChannel failures, HTTPS requests don’t even make it to HTTP.SYS. Why?­

The HTTP.SYS driver is going to call the SChannel provider to create the secure tunnel. SChannel will use the CAPI, the Cryptographic API of Windows. The certificate’s public and private keys are going to be used by CAPI2. Notice my highlight: the private key of the certificate is needed for the SChannel. If that private key is missing or inaccessible due to ACL (Access Control List), then “game over” – no tunnel can be created, HTTPS traffic would fail. And there are other reasons too for which the certificate may be rejected by the SChannel provider; see later in this article.

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (2)A certificate that is paired with its private key

The SChannel provider is logging into the Windows Events – look inside the System log with the Event Viewer, looking for source SChannel. Here are some common SChannel events and SSL/TLS protocol alerts.

The logging of the Crypto API is not turned on by default. If you want to troubleshoot, you’ll need to turn on the CAPI2 logging in the Windows Events Viewer.

The TLS handshake

Let’s see the steps of the TLS negotiation, how the secure channel is being established between the client and the server before any HTTPS traffic can happen.

  1. TCP handshake is performed between client and server, then...
  2. Client Hello: The client sends to server the versions of TLS protocol supported, as well as the suite of ciphers (encryption/decryption algorithms it supports for key exchange, data encryption and handshake security);
  3. Server Hello: After the server compares what the client sends with its own supported TLS versions and ciphers, the server decides which ones will be used and sends the selection to the client.
  4. Server certificate: The server has to authenticate itself to the client, so it sends its certificate. The keys will be used for encryption.
  5. Client switches to encrypted; all following messages from client will be encrypted from this point.
  6. Server switches to encrypted, too. From this point, normal HTTP requests and response can travel via the encrypted channel.

In fact, the TLS handshake is a bit more complicated, so I recommend the Pluralsight training Analyzing and Decrypting TLS Traffic for details. But the above steps are enough to illustrate what could go wrong and where to look for problems.

TCP handshake

Condition: The client (browser) has to be able to resolve the name of a site (the hostname) to an IP address. For that, needed DNS records must be in place. Do you have a DNS A or CNAME record in place? Can the IP address of the hosting environment be determined for the site/host name specified in the browser’s address bar? You can check with nslookup command-line tool:

C:> nslookup duckduckgo.com

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (3)Checking name resolution to IP addresses with nslookup

Client Hello and Server Hello

The client is sending to the server its supported TLS versions and cipher suites. The server compares the list with its own “records”. If the server does not support any of the TLS versions specified by client: fail. If or none of server's cipher suites matches one from the client’s list, boom! Look into Windows Events, in the System log, for entries sourced SChannel.

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (4)A network trace capturing TLS negotiation, Client Hello

If you suspect problems with the encryption, then that’s the domain of CAPI2 - Cryptographic API logging must be enabled, then events must be studied.

Server Certificate

The server authenticates first; then, optionally, the client. But before the server sends its certificate, that must be usable. The SChannel provider performs some validation on the certificate, before using it.

The private key of the certificate must be present on the server and accessible to SChannel provider. There is common misconception that the private key of a certificate stays within the certificate. That’s wrong; the private key belongs to a certificate, but it is stored separately. Certificates are held in Registry, while their private keys have various repositories, depending on where the certificate is found in the Certificate Manager: read key storage and retrieval and certificate locations in Windows.

The issuing authority of the certificate must be trusted by the server. The certificate of the issuing authority must be present in the Computer’s Trusted Root Certification Authorities. If there are intermediate certification authorities, their certificates must be present in the Computer’s Intermediate Certification Authorities. The certificate chain must be trusted.

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (5)Both client and server should trust the certification chain. Issuing root and intermediate certification autorities

The certificate must not be revoked. And its Key Usage flags must allow for Digital Signature and Key Encipherment. Working with SSL certificates using IIS Manager helps avoid many of the pitfalls commonly seen when setting up HTTPS.

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (6)Key usage flags needed for HTTPS

Encrypted communication

Finally, before the communication is being switched to encrypted – Change Cipher Spec – the client has to accept the server’s certificate. Some browsers, like Internet Explorer, would display warnings for sites presenting improper certificates - but would still allow you to navigate; after all, technically the encryption of the tunnel can still happen. But other browsers or other client applications might be more… stubborn, should I say? They would not allow continuing navigation or sending requests if the certificate is “smelly”.

If the certificate is expired, not valid anymore: reject. If it was revoked by its issuing authority: reject. If the site/server/host name of the URL does not accommodate the certificate’s subject (issued to field): reject. If the client does not trust the issuing authority of a certificate: reject (on Windows, the certificate of the issuing authority must be present in the Computer’s Trusted Root Certification Authorities / Intermediate Certification Authorities).

In all these cases, the encryption of the secure channel would work, technically; but the clients/browsers simply don’t like the certificate presented by the server - the server is not authenticated.

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (7)When a client checks a certificate. It also checks for revocation.

On a side note, only the key exchange relies on the computationally expensive asymmetric encryption, during the TLS handshake (let’s say with the certificate’s public and private key). Once the client and the server have established the secure channel, the data exchange will rely on symmetric encryption. This is why the certificate’s Key Usage flag must include Key Encipherment – it’s for the key exchange.

Handling certificates and their private keys

I keep saying about certificate private keys because their absence is one of the most common issues. Failing to have the private key of a certificate leads to frustration: IIS Manager would not even bother to display a server certificate if its private key is not present. So, in the HTTPS binding, one cannot pick a certificate if its private key is missing. Further on, if the private key is accidentally deleted, corrupted or becomes inaccessible due to rights, SChannel issues immediately appear. Same happens if the certificate chain is not trusted (somehow the certificate of the issuing authority is missing from trusted, or that certificate is expired).

So how do we handle this private key?

The “birth” of a certificate starts with a Certificate Request, a CSR. One creates a CSR, then a certification authority (CA) approves it and generates a certificate file.

When creating CSR, a key pair is generated: public and private key. The public key is, well, public, anyone could see it. But the private key remains securely stored on the machine where the CSR was generated.

Once the CA issues the certificate, we could install that certificate on a different machine. But wait, where is the private key? Oh, the certificate must be paired with its private key on the machine where the CSR was created. Once this pairing is done, both certificate and its private key can be exported in a PFX container. The PFX file may contain the certificate, its private key, and all the trust chain – certificate of the root authority and any intermediate authorities. Then the PFX can be imported on other machines if needed.

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (8)A certificate needs its private key to be usable for HTTPS

I recommend using IIS Manager only for creating certificates to be used for sites and web applications. IIS Manager ensures that the private key is exportable once the certificate was paired with it and it sets the proper key usage flags. It also ensures that the certificate is placed in the proper repository – Computer’s certificates. When exporting a certificate from IIS Manager, the entire trust chain of certificates is included in the PFX too.

About HTTPS, SChannel, TLS, CAPI, SSL Certificates and their keys (2024)

FAQs

What is TLS cert and TLS key? ›

Each TLS certificate consists of a key pair made of a public key and private key. These keys are important because they interact behind the scenes during website transactions. Every time you visit a website, the client server and web browser communicate to ensure there is a secure TLS/SSL encrypted connection.

What is Schannel used for? ›

Schannel is a Security Support Provider (SSP) that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) Internet standard authentication protocols.

What is SSL certificate and key? ›

SSL certificates make SSL/TLS encryption possible, and they contain the website's public key and the website's identity, along with related information. Devices attempting to communicate with the origin server will reference this file to obtain the public key and verify the server's identity.

What is a capi certificate? ›

Defines the data required by Trust Protection Platform to provision certificates to the Cryptographic Application Programming Interface (CAPI). The CAPI store contains Local Computer\Personal certificates on Windows systems to be consumed by IIS or other server applications.

How do I know if my certificate is SSL or TLS? ›

First, check if the URL of the website begins with HTTPS, where S indicates it has an SSL certificate. Second, click on the padlock icon on the address bar to check all the detailed information related to the certificate.

What is the difference between a certificate and a key? ›

The owner of the key pair makes the public key available to anyone, but keeps the private key secret. A certificate verifies that an entity is the owner of a particular public key.

What is the Schannel ciphers subkey? ›

SCHANNEL\Ciphers subkey. The Ciphers registry key under the SCHANNEL key is used to control the use of symmetric algorithms such as DES and RC4. The following are valid registry keys under the Ciphers key. This subkey refers to 128-bit RC4.

When should you use TLS? ›

A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP).

What are schannel errors? ›

Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communication. These errors indicate a problem with the cipher suite chosen, or just the fact that the two sides (client and server) cannot agree on a cipher suite to use.

What are the 3 types of SSL certificates? ›

There are three types of SSL Certificate available today; Extended Validation (EV SSL), Organization Validated (OV SSL) and Domain Validated (DV SSL).

How do I find my SSL certificate and key? ›

In WHM the Private keys are stored along with the corresponding CSRs and certificates in “SSL Storage manager”. To get there, you can click “SSL/TLS” on the home screen and then on the “SSL Storage manager”. To open the Private key text, you will need to click on the magnifier button in the first column called “Key”.

What is the difference between SSL and TLS? ›

However, SSL is an older technology that contains some security flaws. Transport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities. TLS authenticates more efficiently and continues to support encrypted communication channels.

What is CAPI used for? ›

CAPI is short for Conversion API and is the latest method for tracking conversions with Facebook. The Conversions API is used for tracking users, events and conversions to supplement the tracking done by the Meta Pixel (previously called the Facebook Pixel).

What is a CAPI for? ›

Cash Assistance Program for Immigrants (CAPI) provides cash assistance to certain aged, blind, and disabled legal immigrants ineligible for Supplemental Security Income/State Supplemental Payment (SSI/SSP) due to their immigration status.

What is CAPI short for? ›

Computer-Assisted Personal Interviews (CAPI) is a face-to-face data collection method in which the interviewer uses a tablet, mobile phone or a computer to record answers given during the interview.

How do I find my TLS certificate? ›

Here's how to do it.
  1. Open Chrome Developer Tools. The quickest way there is with a keyboard shortcut: OS. Keyboard. Shortcuts. Windows and Linux. Ctrl + Shift + i. F12. Mac. ⌘ + Option + i. ...
  2. Select the Security tab. If it is not shown, select the >> as shown below.
  3. Select View Certificate.

What is TLS authentication key? ›

TLS uses public-key cryptography to verify the authenticity of a website. Every website that uses HTTPS (TLS) generates a mathematically related key pair: A private key, which is kept secret and used to sign data. A public key, which anyone can use to verify that data.

What is the difference between API key and certificate? ›

Certificates authenticate the identity of API providers and consumers, preventing unauthorized access. Keys, on the other hand, encrypt data transmitted between servers, safeguarding it from interception and tampering.

How to get TLS key? ›

Locating a private key in Windows
  1. Open Microsoft Management Console.
  2. In the Console Root, expand Certificates (Local Computer)
  3. Locate the certificate in the Personal or Web Server folder.
  4. Right click the certificate.
  5. Select Export.
  6. Follow the guided wizard.
Aug 19, 2022

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Lilliana Bartoletti

Last Updated:

Views: 6429

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Lilliana Bartoletti

Birthday: 1999-11-18

Address: 58866 Tricia Spurs, North Melvinberg, HI 91346-3774

Phone: +50616620367928

Job: Real-Estate Liaison

Hobby: Graffiti, Astronomy, Handball, Magic, Origami, Fashion, Foreign language learning

Introduction: My name is Lilliana Bartoletti, I am a adventurous, pleasant, shiny, beautiful, handsome, zealous, tasty person who loves writing and wants to share my knowledge and understanding with you.