Re: Vista Certificate Enrollment api

From: "Haitao Li" <lht1999 [at] hotmail.com>
Date: Tue, 6 Feb 2007 14:51:52 -0800

What error did InstallResponse return when AllowUntrustedRoot is passed in?
Are you calling the API in web script?

"Mark Mullane" <mark_mullane@xxxxxxxxxxx> wrote in message news:ufRj4qVSHHA.4188@xxxxxxxxxxxxxxxxxxxxxxx

Hi,

I'm using the new Certificate Enrollment API in Vista to enroll certificates
(signed by a custom CA) on Vista clients, along the lines given in the SDK
Certificate Enrollment Sample.

I have successfully generated a private key and CSR , sent the CSR to the CA
and received back the response (certificate chain).

My problem comes when I attempt to use the IX509Enrollment interface to
install the received certificate chain on the client machine (in
ContextMachine) I always get error CERT_E_UNTRUSTED_ROOT (0x800b0109). This
is not surprising as the root of the certificate chain returned by the CA is
of course untrusted. However the problem is that even when I set the
InstallResponseRestrictionFlags to "AllowUntrustedRoot" it still fails!

I have verified that if I separately install the Root CA cert alone then the
returned certificate chain installs with no problem. If the Root cert is not
there initially, then it appears that the "AllowUntrustedRoot" flag is
having NO effect.

This is happening on Vista RC2 and Vista Gold.

Any ideas?

Regards..........Mark M.

Follow-Ups:
- Re: Vista Certificate Enrollment api
  - From: Mark Mullane

References:
- Vista Certificate Enrollment api
  - From: Mark Mullane

Prev by Date: Re: SID of remote user & LookupAccountSid
Next by Date: Re: Smart Card Module Resource
Previous by thread: Vista Certificate Enrollment api
Next by thread: Re: Vista Certificate Enrollment api
Index(es):
- Date
- Thread

Relevant Pages

Re: Vista Certificate Enrollment api
... Please follow these instructions to collect a log file. ... I'm using the new Certificate Enrollment API in Vista to enroll certificates ... is not surprising as the root of the certificate chain returned by the CA is ... I have verified that if I separately install the Root CA cert alone then the ...
(microsoft.public.platformsdk.security)
Re: Problems with SSL Cert
... If, after receiving the error message, they continue on to the site they can ... certificate with an option to let it automatically decide the location to ... My understanding was this process would install the certificate so that the ... the link "Download a CA certificate, certificate chain, or CRL" followed by ...
(microsoft.public.exchange.clients)
Re: Vista Certificate Enrollment api
... I'm using the new Certificate Enrollment API in Vista to enroll ... Certificate Enrollment Sample. ... is not surprising as the root of the certificate chain returned by the CA ... I have verified that if I separately install the Root CA cert alone then ...
(microsoft.public.platformsdk.security)
Re: Problems with SSL Cert
... Which certificate you have tried? ... the link "Download a CA certificate, certificate chain, or CRL" followed by ... "install this CA certificate chain". ... I went through the IIS process to request a new Cert. ...
(microsoft.public.exchange.clients)
Re: Windows Update repeats
... You cannot install some updates or programs ... to a Windows component, install a service pack for Windows or for a Windows ... The Microsoft digital signature affirms that software has been tested with ... Publishers certificate store. ...
(microsoft.public.windowsupdate)