Hi Tim, please understand that WIndows Vista changes Certificate for a better secure. You can refer to the following article.
Certificate-Related Changes for Vista
http://technet.microsoft.com/en-us/library/cc700848.aspx
Then, please check the following points:
1. Check whether SP2 has been applied on the Windows Server 2003 CA server.
2. Add the web enrollment URL of the CA server to the client computer’s "Trusted Sites" list and ensure the related security settings allow ActiveX control.
As a workaround, you can go to a computer that has the Root Cert installed already and export the Root Cert and then install it on your Windows Vista computer manually.