IE6 and MS Certificate Services (standalone)

From: Yawns Security (security@YAWNS.COM)
Date: 10/07/02 

Date:         Mon, 7 Oct 2002 15:16:03 +0100
From: Yawns Security <security@YAWNS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Issue: IE6 devices cannot create new Advanced Certificate requests via
form, as Active X component fails to download regardless of client
security settings.

Server :Win2000 Server (in workgroup) with MS Certificate Services
(standalone) regardless of service pack (although I have tested it with
Sp2 and Sp3) and Microsoft's unsupported public CA at

Client : Tested with - Win2K Sp3 & IE5 - OK
                                Win2K Sp3 & IE6 - Fails
                                WinXP Sp0 & IE6 - Fails
                                WinXP Sp1 & IE6 - Fails
                                WinXP Sp1 & IE6 Sp1 - Fails

Detail :
Attempting to use a local MS Cert Services CA instance for IPSEC/Server
certificate generation.
1)From a client browser browse http://localCertServer/certsrv
2)Select 'Request a certificate', then 'Advanced Request'
3)Then 'Submit a cert req to this CA using a form'

A form is generated and a message displayed centrally saying
'Downloading ActiveX control' which I can only assume interrogates the
local CryptoAPI to work out what providers are available.

With older browsers the CSP field gets updated after the applet
installs, whereas IE6 never downloads.

The certificate server is within my local 'Local Intranet' zone and even
if the Security level is set to low, it still never works.

The problem has been reported to MS PSS and an incident raised, however
I was wondering if anyone had come up with a workaround.

Relevant Pages

  • Re: Cannot request certificate on client computer
    ... re-connect both computer and user account on the server. ... PC and the certificate request now works. ... (I'd check both the server and the client PC). ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot request certificate on client computer
    ... re-connect both computer and user account on the server. ... one PC and the certificate request now works. ... (I'd check both the server and the client PC). ...
    (microsoft.public.windows.server.sbs)
  • Re: Generate SSL certificate request from ISA server
    ... when you receive the certificate from the authority, install it on the ISA ... Server instead of the web server. ... > request to send to them, which doesn't appear to be possible directly from ...
    (microsoft.public.isa.configuration)
  • Re: Cannot request computer certificate.
    ... I did a cerutil -ping from the server again and now it is working: ... >>whole problem since you can not request a certificate while logged onto ... >> I would verify that the certificate services service is running and set ... >>> The redir is bound to 1 NetBt transport. ...
    (microsoft.public.windows.server.security)
  • Re: Offline creation of machine certificates for VPN access
    ... I faced a similar challenge with getting certificates onto an ISA server ... to include a SAN in a request you need to make the following change at ... Retrieve CA Signing Certificate and Chain ...
    (microsoft.public.windows.server.security)