TLS 1.2 Communication Problems with Excessive Root Certificates
SecureAuth IdP Version affected: All
This article describes an issue that can prevent web clients from connecting with a SecureAuth IdP Appliance over TLS 1.2, and how to resolve it.
If the Windows Trusted Root Certification Authorities container grows too large, then it can exceed the Schannel security package limit. Currently, the maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certificate Authorities will go over the 16 KB limit, which cause TLS communication issues.
If this condition is present on an appliance, then the following log entry is seen:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
To resolve this issue, the Root Certification Authorities container must be pared down to stay within the 16 KB Schannel limit. Make sure to leave the following certificates in place so operation of the SecureAuth IdP Appliance is not impacted:
NOTE: Removing a critical root certificate could negatively impact the operation of SecureAuth IdP, Microsoft IIS, or Windows Server
SecureAuth strongly recommends backing up the SecureAuth IdP Appliance before modifying the Trusted Root Certification Authorities container
1. Certificates required by the Windows Server Operating System (OS) to properly operate
2. The SecureAuth Root Certificates
- SecureAuth Root Certificate Authority
- SecureAuth G3 Root Certificate Authority
- MFA Root 3
3. Any root certificates used by the organization
Please sign in to leave a comment.