DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Enable TLS 1.2 as default protocols in WinHTTP | Windows 2008 and 2012 standard Server

Solution ID : SO090921150358
Last Modified : 10/21/2023


Digicert PKI Platform 8 ended support for TLS 1.0 and TLS 1.1 on August 30, 2021. Customers will need to complete the upgrade to TLS1.2 before August 30, 2021, to continue using PKI applications and services to enroll, renew, search, or revoke certificates. This will also impact the services on Enterprise Gateway and Autoenrollment services.

For customers using Windows 2012 server R2, the changes to WinHTTP are not required as TLS 1.2 is supported by default without the patch update and registry changes.

For customers using Windows 2008 and Windows 2012 standard server, WinHTTP does not support TLS 1.2 by default. You will need to install a windows patch (KB3140245) and then enforce TLS 1.2 via a registry update.

Below is the common error message during certificate enrolment via Autoenrollment or Enterprise Gateway if the WinHTTP is not configured.

In AE or EG logs, you will find the error message below.

Http Error: One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. (0x2f8f)

Download the patch details and instructions.

After installing the patch update, set TLS 1.2 enforcement with the below command via the command prompt (please run command prompt as admin).

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /V "DefaultSecureProtocols" /T REG_DWORD /D 2048 /F

reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp" /V "DefaultSecureProtocols" /T REG_DWORD /D 2048 /F

Note: 2048 is the binary representation for hex 0x00000800 (TLS1.2 enforcement)

Once done, please restart the server to propagate the changes.