SSL Diagnostics for IIS/IIS Express¶
By Lex Li
This page shows you how to use SSL Diagnostics.
There were either official or unofficial tools from Microsoft called SSL Diagnostics.
IIS 6 used to have a great suite of troubleshooting tools. One of them was for SSL related diagnostics, called SSL Diagnostics (SSL Diag or SSLDiag for short) . As it was designed for IIS 6 and relies on IIS ADSI API (which is obsolete), this tool was not made available for IIS 7 and above.
Of course you can use the IIS 6 version if you enable IIS 6 Compatibility component on IIS 7 and above, but it would be less convenient.
Later, a Microsoft employee Vijayshinva Karnure developed a newer version that relied only on IIS 7+ new API, and released it on IIS.net . It works for all IIS versions (up to 10), but it does not work for IIS Express.
The previous tools were designed without SHA-2 and recent SSL/TLS best practices in mind. Their reports can simply miss recent warnings on obsolete SHA-1 certificates and obsolete protocols like SSL 3.0.
So what if you want a modern tool to troubleshoot SSL/TLS issues on IIS and especially IIS Express? Jexus Manager fills the gaps.
For web servers opened in Jexus Manager, there is an action called SSL Diagnostics showed.
A report is generated when “Generate Report” button is clicked.
Typical things analyzed by SSL Diagnostics,
SNI or IP based mappings in Windows HTTP API.
- Certificate related,
Signature algorithm (SHA-1 is obsolete).
Validity check (expired or not).
Subject Alternative Name extension (should present as browsers require).
Private key availability.
This SSL Diagnostics tool is updated often to include more checks on recent SSL /TLS best practices.