You cannot download CA certificate from web enrollment pages

You cannot download CA certificate from web enrollment pages

 
ON THIS PAGE

SYMPTOMS

When you try to download CA certificate from web enrollment pages you get a prompt message with unreadable proposed file name:

Do you want to save certnew_cer?ReqID=CACert&Renewal=1&Enc=bin (1,09 KB) from <ServerName>

Web enrollment pages

And when you press 'Save' button in the save file dialog nothing happens and file is not saved. You cannot close 'Save File' pop-up prompt even if you press 'Cancel' button.

↑ Back to the top


CAUSE

This issue occurs if you are using operating system listed in the 'Applies to' section and Internet Explorer with enabled Enhanced Security Configuration (ESC). Internet Explorer ESC applies strict security settings which prevent you from downloading CA certificate from web enrollment pages. For more information about IE ESC feature please read this article: Internet Explorer: Enhanced Security Configuration

↑ Back to the top


RESOLUTION

You need to disable Internet Explorer Enhanced Security Configuration.

  1. Logon to the server with local administrator permissions;
  2. Click Start, Administrative Tools and click Server Manager;
  3. On the right pane click 'Configure IE ESC' link:







  4. In the opened dialog box disable Internet Explorer ESC for appropriate group (Administrators and/or regular users).
  5. Click Ok and restart Internet Explorer.

Note: you should not disable Internet Explorer ESC for Administrators group. This is because by disabling this feature you increase the exposure of your server to potential attacks that can occur through Web content and application scripts. Instead you should access web enrollment pages by using regular user account and disable IE ESC for regular users only.

↑ Back to the top


WORKAROUND

In an Active Directory environment you should avoid web enrollment pages usage directly from servers (machines that runs Windows Server operating system family). For management purposes you should use administrative computer that runs client operating system (Windows Vista/7) and with installed Remote Server Administration Tools (RSAT). 

↑ Back to the top


APPLIES TO
  • Windows Server 2008 x86 and x64 all editions, full installation with Internet Explorer 8 or 9
  • Windows Server 2008 R2 all editions, full installation with Internet Explorer 8 or 9

↑ Back to the top

Sort by: Published Date | Most Recent | Most Useful
Comments
  • Cool! Thank you very much for posting this KB style information. :-)

  • Experiencing this problem on a Windows 7 box with IE9. Getting the strange URL for the certificate. Cannot close the download/save box. I don't think Win7 has ESC, any tips to get this working? I can download the certificate using chrome, fwiw.

  • "In an Active Directory environment you should avoid web enrollment pages usage directly from servers."

    Can you please expand on that to describe what servers you refer to?

  • I added a clarification.

Page 1 of 1 (4 items)