When my ASP.NET website is running on a windows 7 box, it can connect (programmatically as a "client") to an SSL-encrypted service ("server") on another windows 7 machine just fine.

But if my website is on the production box (windows server 2003), the service's windows log shows:

An TLS 1.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

(service is using a self-signed cert created by makecert.exe, but I can't see how to make makecert allow more cipher suites... or do I install something on the 2003 boxes...? This: https://serverfault.com/questions/166750 doesn't work for me because I am not using a CSR)

The solution was to generate my certificate again, this time forcing RSA and SHA1 (though SHA1 should be the default anyway). For some reason Win Server 2k3 couldn't or wouldn't use the right ciphers with a default makecert certificate. Here is the command line that worked for me:

makecert -pe -r -ss my -sr localMachine -n "CN=domainnameoripaddressgoeshere.com" -e 01/01/2098 -a sha1 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

For details see http://mgowen.com/2013/06/19/cipher-suites-issue/ and http://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx .

If anyone finding this does want to know about cipher suites though, here's some stuff I found along the way that may help you:

• You can add two RSA cipher suites to windows server 2003 using this hotfix: http://support.microsoft.com/kb/948963
• You can see which ciphers are supported in regedit (windows registry editor) under HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
• You can use IIS Crypto (a free cipher config app, https://www.nartac.com/Products/IISCrypto/) to view and enable/disable ciphers (including those hotfix ciphers above).