Digicert PKI Platform 8 ended support for TLS 1.0 and TLS 1.1 on August 30, 2021. Customers will need to complete the upgrade to TLS1.2 before August 30, 2021, to continue using PKI applications and services to enroll, renew, search, or revoke certificates. This will also impact the services on Enterprise Gateway and Autoenrollment services.
For customers using Windows 2012 server R2, the changes to WinHTTP are not required as TLS 1.2 is supported by default without the patch update and registry changes.
For customers using Windows 2008 and Windows 2012 standard server, WinHTTP does not support TLS 1.2 by default. You will need to install a windows patch (KB3140245) and then enforce TLS 1.2 via a registry update.
Below is the common error message during certificate enrolment via Autoenrollment or Enterprise Gateway if the WinHTTP is not configured.
In AE or EG logs, you will find the error message below.
|Http Error: One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. (0x2f8f)|
Download the patch details and instructions.
After installing the patch update, set TLS 1.2 enforcement with the below command via the command prompt (please run command prompt as admin).
|reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /V "DefaultSecureProtocols" /T REG_DWORD /D 2048 /F
|reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /V "DefaultSecureProtocols" /T REG_DWORD /D 2048 /F|
Once done, please restart the server to propagate the changes.