Windows CA WebEnrollement certificate problems

Stijn 26 Reputation points
2020-08-25T14:26:25.583+00:00

We are using a Windows Server 2012 R2 as Windows CA for our Windows 10 environment.
Certificates are getting automatically enrolled through GPO which is great, unless you get Mac devices in your environment.
To get them the required User and Machine certificate we have installed the WebEnrollment environment but we have some problems.
First when you browse to the website with Safari, Chrome or Firefox you get a certificate error, that certificate is not valid.
We thought let's download the CA certificate first through the website and trust it on the Mac device but the certificate error is still there.
So we tried to visit it from a Windows machine and yes also there we get the error that the certificate is not valid. Which certificate you need to bind in IIS?

Second the user can only select the standard User Certificate from the web portal and not our custom User and Machine certificate. How can we change this?

Third when the user click on the standard User Certificate, he/she can't choose the key strength and when you click submit you get this error:

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

Request Mode:
newreq NN - New Request (keygen)
Disposition:
(never set)
Disposition message:
(none)
Result:
Invalid pointer 0x80004003 (-2147467261 E_POINTER)
COM Error Info:
CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
No suggestions.

Who can help me out?

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,212 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Daisy Zhou 12,921 Reputation points Microsoft Employee
    2020-08-26T05:28:57.75+00:00

    Hello @Stijn ,

    Thank you for posting here.

    Here are the answers for your references.

    Q1: So we tried to visit it from a Windows machine and yes also there we get the error that the certificate is not valid. Which certificate you need to bind in IIS?
    A1: We can check whether this certificate is valid or not.

    For example:

    1.Who is this certificate issued to?
    2.When will the certificate expire? When will the root certificate expire?
    3.What certificate template was used to issue this certificate?
    4.Is the status of the certificate normal?
    5.Verify the certificate by running the command: certutil -verify "the full path of certificate file"

    20421-cer1.png

    20284-cer2.png

    20422-cer3.png

    Q2: Second the user can only select the standard User Certificate from the web portal and not our custom User and Machine certificate. How can we change this?
    A2: Check the permissions on custom certificates and ensure issued these certificate templates.
    20403-cer4.png
    20404-cer5.png

    Q3: Third when the user click on the standard User Certificate, he/she can't choose the key strength and when you click submit you get this error:
    Your request failed. An error occurred while the server was processing your request.
    Contact your administrator for further assistance.

    A3:

    1.What do we mean "key strength"? Do you mean "Key Size"?
    20360-cer6.png

    2.Can we select the CSP on the screenshot above?
    3.Whether all the users encountered the same issue on all the domain joined machines?

    Best Regards,
    Daisy Zhou

    No comments

  2. Stijn 26 Reputation points
    2020-08-26T07:35:10.213+00:00

    Hello @Daisy Zhou

    Thanks for the help and information. In IIS the Root CA certificate itself was binded with the https website.
    So I created a duplicate from the standard webserver certificate and set following options
    20455-capture7.png20456-capture8.png20378-capture9.png20379-capture10.png20309-capture11.png

    I binded this certificate to IIS but when I visit the certsrv website I still get the certificate invalid error
    20457-capture.png20462-capture1.png20416-capture2.png

    When I want to reguest a certificate I only can select User Certificate and when I click advanced request, I get other options then you have
    20398-capture3.png20369-capture6.png

    When I select the User Certificate there is no key strength defined
    20388-capture4.png

    When I click submit
    20444-capture5.png


  3. Stijn 26 Reputation points
    2020-08-26T09:38:45.317+00:00

    Hello @Daisy Zhou

    The FQDN is DMBEHQ0020.domain.local.

    Yes I have set the permission but the certificates does not show up in the web page.