none
Request a Certificate from Server 2003 to Enterprise CA on Server 2012

    Question

  • Hello,

    I'm attempting to create and submit a request to my Enterprise CA (on Server 2012) from a 2003 Server.  I'm using the web request form and using the Web Server template.  I create the request and submit. All I get for my efforts is a web page dialogue saying "This page has not finished loading yet.  Please wait a few seconds and try again".  Any ideas?

    Thanks,

    DML


    DLovitt

    Tuesday, August 13, 2013 10:34 PM

Answers

  • The behaviour changed from 2008 IIRC for the web enrolment and computer certificates, the fact that you can only request user certs this way.

     I would use the MMC snap-in to request a computer certificate as this will then present you with the correct templates (Web Server) as long as the permissions are correct on the template etc. (The previous article I referenced will need to be completed before you can enrol a cert from a 2003 server using this method).

    Thanks,

    James.

    Thursday, August 15, 2013 12:08 PM
  • I ended up opening a case with MS. The answer was basically what James suggested. We ended up creating a new template based on the Web Server template, altered that template to allow the cert request to come from the certificates MMC console, and requested the cert from that console.  We tested the solution and it seems to work as expected.  I updated my instructions and procedure for future cert. requests.


    DLovitt

    • Marked as answer by Darius Lovitt Friday, August 30, 2013 5:08 PM
    Friday, August 30, 2013 5:08 PM

All replies

  • I hit a similar issue on server 2012. Eventually, I think I managed to request the certificate certreq.exe.

    Check it on a client machine or a different browser.


    Regards, Vik Singh "If this thread answered your question, please click on "Mark as Answer"

    Wednesday, August 14, 2013 6:19 AM
  • My dilemma thickens somewhat.  Not only can I not submit a web request from Server 2003 but even if I could, I can no longer request that certificate be placed in the local computer store using the Web Server template.  These are the instructions for the certificate that my app has (this is ECTS for Sharepoint, by the way):

    From the extranet server, use Microsoft Internet Explorer® to access the certification service on the domain controller at http://domain_controller/certsrv, where domain_controller is the name of the domain controller running the certification authority.

    To install a certificate on the extranet server:
    1.Under Select a Task, click Request a certificate.
    2.On the Request a Certificate page, click advanced certificate request.
    3.On the next page, click Create and submit a request to this CA.
    4.On the next page, under Certificate Template, click Web Server. Under Identifying information for Offline Template, in the Name field, type the FQDN of the extranet server. Fill out the rest of the fields in this section as appropriate.
    5.Under Key Options, click Create a new key set. For CSP, click Microsoft RSA SChannel Cryptographic Provider. In the Key Size text box, type 1024. Click Automatic key container name, and then select the Store certificate in the local computer certificate store check box.
    6.Under Additional Options, for Request Format, click PKCS10, in the Friendly Name text box, type a name, such as ADAM Certificate and then click Submit. If a Potential Scripting Violation warning appears, click Yes.
    7.On the Certificate Issued page, click Install this Certificate, and then, if a Potential Scripting Violation warning appears, click Yes.

      Step 5 says to select "Store certificate in the local computer store". That option is no longer available. Any idea how I get this type of certificate requested and installed in the correct store. I'm not a certificate expert and they frankly don't make much sense to me.

    Thanks,

    DML


    DLovitt

    Wednesday, August 14, 2013 4:12 PM
  • Hi, this could be the new enhanced security in 2012 AD CS (http://technet.microsoft.com/en-us/library/hh831373.aspx#BKMK_Security)

    The section you want relates to the following exert:

    When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT, as described in MSDN article Authentication-Level Constants (http://msdn.microsoft.com/library/aa373553.aspx). On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA. On a Windows Server 2012 or Windows Server 2012 R2 Preview CA, this enhanced security setting is enabled by default.

    What value does this change add?

    The CA enforces enhanced security in the requests that are sent to it. This higher security level requires that the packets requesting a certificate are encrypted, so they cannot be intercepted and read. Without this setting enabled, anyone with access to the network can read packets sent to and from the CA using a network analyzer. This means that information could be exposed that might be considered a privacy violation, such as the names of requesting users or machines, the types of certificates for which they are enrolling, the public keys involved, and so on. Within a forest or domain, leaking these data may not be a concern for most organizations. However, if attackers gain access to the network traffic, internal company structure and activity could be gleaned, which could be used for more targeted social engineering or phishing attacks.

    The commands to enable the enhanced security level of RPC_C_AUTHN_LEVEL_PKT on Windows Server®  2003, Windows Server®  2003 R2, Windows Server®  2008, or Windows Server 2008 R2 certification authorities are:

    certutil -setreg CA\InterfaceFlags +IF_ENFORCEENCRYPTICERTREQUEST
    Restart the certification authority
    net stop certsvc
    net start certsvc

    If you still have Windows XP client computers that need to request certificates from a CA that has the setting enabled, you have two options:

    1. Upgrade the Windows XP clients to a newer operating system.
    2. Lower the security of the CA by running the following commands:
      1. certutil -setreg CA\InterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST

      2. net stop certsvc

      3. net start certsvc

    What works differently?

    Windows XP clients will not be compatible with this higher security setting enabled by default on a Windows Server 2012 or Windows Server 2012 R2 Preview CA. If necessary, you can lower the security setting as previously described.

    Did you make this change when you deployed your 2012 CA?

    Thanks,

    James.

    Thursday, August 15, 2013 11:19 AM
  • Hi,

    Does it work when you request a basic certificate use the internet?

    I would like to suggest you refer to the below link:

    Certification Authority Web Enrollment Guidance

    http://technet.microsoft.com/en-us/library/hh831649.aspx

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    Thursday, August 15, 2013 11:29 AM
    Moderator
  • The behaviour changed from 2008 IIRC for the web enrolment and computer certificates, the fact that you can only request user certs this way.

     I would use the MMC snap-in to request a computer certificate as this will then present you with the correct templates (Web Server) as long as the permissions are correct on the template etc. (The previous article I referenced will need to be completed before you can enrol a cert from a 2003 server using this method).

    Thanks,

    James.

    Thursday, August 15, 2013 12:08 PM
  • Hi,

    Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    Monday, August 19, 2013 4:17 AM
    Moderator
  • I ended up opening a case with MS. The answer was basically what James suggested. We ended up creating a new template based on the Web Server template, altered that template to allow the cert request to come from the certificates MMC console, and requested the cert from that console.  We tested the solution and it seems to work as expected.  I updated my instructions and procedure for future cert. requests.


    DLovitt

    • Marked as answer by Darius Lovitt Friday, August 30, 2013 5:08 PM
    Friday, August 30, 2013 5:08 PM
  • Hi All

    Please could you please help I'm trying to request a certificat from Mozilla and Chrome and this does not load the whole page. Is it mandatory to do this via Internet Explorer...

    Sorry to bother you guys.

    Wednesday, June 04, 2014 7:55 PM
  • Yes, you have to use IE. Technical support for other browsers is very limited and you will not get help from MS support at all.

    Wednesday, June 04, 2014 8:12 PM