Windows CA WebEnrollement certificate problems

Question

We are using a Windows Server 2012 R2 as Windows CA for our Windows 10 environment.
Certificates are getting automatically enrolled through GPO which is great, unless you get Mac devices in your environment.
To get them the required User and Machine certificate we have installed the WebEnrollment environment but we have some problems.
First when you browse to the website with Safari, Chrome or Firefox you get a certificate error, that certificate is not valid.
We thought let's download the CA certificate first through the website and trust it on the Mac device but the certificate error is still there.
So we tried to visit it from a Windows machine and yes also there we get the error that the certificate is not valid. Which certificate you need to bind in IIS?

Second the user can only select the standard User Certificate from the web portal and not our custom User and Machine certificate. How can we change this?

Third when the user click on the standard User Certificate, he/she can't choose the key strength and when you click submit you get this error:

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

Request Mode:
newreq NN - New Request (keygen)
Disposition:
(never set)
Disposition message:
(none)
Result:
Invalid pointer 0x80004003 (-2147467261 E_POINTER)
COM Error Info:
CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
No suggestions.

Who can help me out?

Answer 1

Hello @Stijn ,

Thank you for posting here.

Here are the answers for your references.

Q1: So we tried to visit it from a Windows machine and yes also there we get the error that the certificate is not valid. Which certificate you need to bind in IIS?
A1: We can check whether this certificate is valid or not.

For example:

1.Who is this certificate issued to?
2.When will the certificate expire? When will the root certificate expire?
3.What certificate template was used to issue this certificate?
4.Is the status of the certificate normal?
5.Verify the certificate by running the command: certutil -verify "the full path of certificate file"

Q2: Second the user can only select the standard User Certificate from the web portal and not our custom User and Machine certificate. How can we change this?
A2: Check the permissions on custom certificates and ensure issued these certificate templates.

Q3: Third when the user click on the standard User Certificate, he/she can't choose the key strength and when you click submit you get this error:
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.

A3:

1.What do we mean "key strength"? Do you mean "Key Size"?

2.Can we select the CSP on the screenshot above?
3.Whether all the users encountered the same issue on all the domain joined machines?

Best Regards,
Daisy Zhou

Answer 2

Hello @Daisy Zhou

Thanks for the help and information. In IIS the Root CA certificate itself was binded with the https website.
So I created a duplicate from the standard webserver certificate and set following options

I binded this certificate to IIS but when I visit the certsrv website I still get the certificate invalid error

When I want to reguest a certificate I only can select User Certificate and when I click advanced request, I get other options then you have

When I select the User Certificate there is no key strength defined

When I click submit

Answer 3

Hello @Daisy Zhou

The FQDN is DMBEHQ0020.domain.local.

Yes I have set the permission but the certificates does not show up in the web page.