locked
Client Certificate on Vista using IE7 from Server 2003 RRS feed

  • Question


  • After installing the Certificate Services Web enrollment pages update KB922706 on Server 2003 for Vista clients the “install this CA certificate” link generates an invalid security certificate.


    The screen to install the certificate states that “the Certificate you requested was issued to you” after the certificate is issued and then provides a link to “Install this certificate”. It then lists “This CA is not trusted. To trust certificates issued from this certification authority, install this CA certificate.” 


    After selecting “install this CA certificate” a file named certnew.cer is generated. Saving or directly opening both result in an error message being displayed  with the title “invalid public key security object file” and the message “this file is invalid for use as the following: Security Certificate”.


    Steps that I’ve already taken:
    The link was added to the trusted sites in IE7 on Vista.
    I’ve tried “Run as administrator” on IE7 to make the certificate request.

     

    Note: The web enrollment continues to work for Windows XP clients.

     

    How can I get the certificates working on Vista Clients?

     

    Thanks,
    Tim

    Thursday, September 18, 2008 9:14 PM

Answers

  •  

    Hi Tim, please understand that WIndows Vista changes Certificate for a better secure. You can refer to the following article.

     

    Certificate-Related Changes for Vista 

    http://technet.microsoft.com/en-us/library/cc700848.aspx

     

    Then, please check the following points:

     

    1. Check whether SP2 has been applied on the Windows Server 2003 CA server.

    2. Add the web enrollment URL of the CA server to the client computer’s "Trusted Sites" list and ensure the related security settings allow ActiveX control.

     

    As a workaround, you can go to a computer that has the Root Cert installed already and export the Root Cert and then install it on your Windows Vista computer manually.

    Monday, September 22, 2008 7:43 AM
    Moderator

All replies

  •  

    Hi Tim, please understand that WIndows Vista changes Certificate for a better secure. You can refer to the following article.

     

    Certificate-Related Changes for Vista 

    http://technet.microsoft.com/en-us/library/cc700848.aspx

     

    Then, please check the following points:

     

    1. Check whether SP2 has been applied on the Windows Server 2003 CA server.

    2. Add the web enrollment URL of the CA server to the client computer’s "Trusted Sites" list and ensure the related security settings allow ActiveX control.

     

    As a workaround, you can go to a computer that has the Root Cert installed already and export the Root Cert and then install it on your Windows Vista computer manually.

    Monday, September 22, 2008 7:43 AM
    Moderator
  • Hi Sean, thanks for your suggestions! In response to your points:

    1. Yes, SP2 has been applied on the Windows Server 2003 CA server.
    2. Yes, the web enrollment URL was added to the Trusted Sites and the ActiveX security settings have been verified.

    Exporting the Root Certificate from an XP computer and installing it on the Vista client enabled the web enrollment process to work. Using an advanced request and selecting a 2048 key size created a certificate that could be installed.

    Can the Root Certificate be installed automatically without requiring the workaround?
    Is there any security issue created by exporting the Root Certificate and sending it out to clients by email?


    Thanks,
    Tim

     

    Friday, October 3, 2008 11:10 PM