20,222 questions
Is this problem resolved? I have the same issue Windows Server 2022 EN.
AD CS installed with WEB Enrollment role, IIS on the same server. Connection is not secure.
The same screens as Stijn.
Windows CA WebEnrollement certificate problems
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 16%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Stijn
26
Reputation points
We are using a Windows Server 2012 R2 as Windows CA for our Windows 10 environment.
Certificates are getting automatically enrolled through GPO which is great, unless you get Mac devices in your environment.
To get them the required User and Machine certificate we have installed the WebEnrollment environment but we have some problems.
First when you browse to the website with Safari, Chrome or Firefox you get a certificate error, that certificate is not valid.
We thought let's download the CA certificate first through the website and trust it on the Mac device but the certificate error is still there.
So we tried to visit it from a Windows machine and yes also there we get the error that the certificate is not valid. Which certificate you need to bind in IIS?
Second the user can only select the standard User Certificate from the web portal and not our custom User and Machine certificate. How can we change this?
Third when the user click on the standard User Certificate, he/she can't choose the key strength and when you click submit you get this error:
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
Request Mode:
newreq NN - New Request (keygen)
Disposition:
(never set)
Disposition message:
(none)
Result:
Invalid pointer 0x80004003 (-2147467261 E_POINTER)
COM Error Info:
CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
No suggestions.
Who can help me out?
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2020-09-03T07:55:16.963+00:00 Hello @Stijn ,
Good day!
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!Best Regards,
Daisy Zhou
Sign in to comment
5 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 50%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJU%3C/text%3E%3C/svg%3E)
Jan Ulman 31 Reputation points2024-03-12T15:05:02.5233333+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 6%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
Darwin Lambeth 0 Reputation points2024-04-09T12:29:53.6233333+00:00 I am running into the same exact problem, Windows 2016 server.
Did anyone resolve this problem?
Sign in to comment -
-
Anonymous
2020-08-26T05:28:57.75+00:00 Hello @Stijn ,
Thank you for posting here.
Here are the answers for your references.
Q1: So we tried to visit it from a Windows machine and yes also there we get the error that the certificate is not valid. Which certificate you need to bind in IIS?
A1: We can check whether this certificate is valid or not.For example:
1.Who is this certificate issued to?
2.When will the certificate expire? When will the root certificate expire?
3.What certificate template was used to issue this certificate?
4.Is the status of the certificate normal?
5.Verify the certificate by running the command: certutil -verify "the full path of certificate file"
Q2: Second the user can only select the standard User Certificate from the web portal and not our custom User and Machine certificate. How can we change this?
A2: Check the permissions on custom certificates and ensure issued these certificate templates.
Q3: Third when the user click on the standard User Certificate, he/she can't choose the key strength and when you click submit you get this error:
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.A3:
1.What do we mean "key strength"? Do you mean "Key Size"?
2.Can we select the CSP on the screenshot above?
3.Whether all the users encountered the same issue on all the domain joined machines?Best Regards,
Daisy Zhou -
Stijn 26 Reputation points
2020-08-26T07:35:10.213+00:00 Hello @Anonymous
Thanks for the help and information. In IIS the Root CA certificate itself was binded with the https website.
So I created a duplicate from the standard webserver certificate and set following options
I binded this certificate to IIS but when I visit the certsrv website I still get the certificate invalid error
When I want to reguest a certificate I only can select User Certificate and when I click advanced request, I get other options then you have
When I select the User Certificate there is no key strength defined
When I click submit
-
Anonymous
2020-08-26T08:21:42.55+00:00 Hello @Stijn ,
- I can see cert common name is invalid.
- What is your machine name with Certification Authority Web Enrollment role? Is dmbeh0020 the machine name with Certification Authority Web Enrollment role?
- For the question that we can not see custom User and Machine certificate templates, would you please check the Answer 2? Or can the users see these custom User and Machine certificate template if the users request certificate via MMC?
Best Regards,
Daisy Zhou - I can see cert common name is invalid.
Sign in to comment -
-
Stijn 26 Reputation points
2020-08-26T09:38:45.317+00:00 Hello @Anonymous
The FQDN is DMBEHQ0020.domain.local.
Yes I have set the permission but the certificates does not show up in the web page.
-
Anonymous
2020-08-28T08:19:51.24+00:00 Hello,
- We can verify the certificate by running the command: certutil -verify "the full path of certificate file" to see if everything is OK.
- Based on "I have set the permission but the certificates does not show up in the web page.", what certificate template do you mean? If it is "Web Server" certificate template, we should set "Supply in the request" Subject Name.
Best Regards,
Daisy Zhou -
Anonymous
2020-08-31T07:38:15.183+00:00 Hello,
Please check if we logon this machine and open MMC.exe to request certificate using this certificate template (Copy 2 of Web Server), can you see this (Copy 2 of Web Server)?
Best Regards,
Daisy Zhou
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 28.000000000000004%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Mohammad J Lajevardipour 0 Reputation points2025-04-04T07:46:50.8133333+00:00 Hi @daisy zhou
To solve this issue, you shouldn't use the Edge browser; instead, open Internet Explorer.
I assumed there should be a security option that blocks/drops this request from reaching your CA.
- Control Panel/ Internet options/ Advanced Tab / uncheck Enable Third-Party Browser Extensions
- In Run**,** write iexplore. If Internet Explorer opens, you can try to get the web enrollment via Internet Explorer, and it should work.
- to make sure you can open the IE, you can also move to Control Panel/ Internet options/ Programs Tab / click on Manage Add-ons/ at bottom side of the opened windows select learn more about toolbars
- This should work fine, and you should be able to get a User certificate without any error if you have already reduced the trust to low and added your CA trusted websites from Internet options
- Control Panel/ Internet options/ Advanced Tab / uncheck Enable Third-Party Browser Extensions