In order to support the new security features of Windows 7/ Vista, Microsoft has made fundamental changes to the certificate web enrollment process that Windows Certificate Services uses to provide certificates to end users. In the past, Xenroll was the process that was responsible for the assignment and processing of certificate requests through the web site. Now this has been replaced with the CertEnroll process. Unfortunately, this process was not seamless. For months, the only way to use the Certsrv site to provide certificates to Vista was to use Windows Server 2008 or to overlay the Server 2008 ASP site over the older Xenroll-based site on Server 2003. This lead to a number of problems, especially considering the lag between the release of Windows Vista and Server 2008. Fortunately, a patch has been released to allow Server 2003 to comply with the new CertEnroll process and hand out certificates to all clients.
The Hotfix can be found:
An Unexpected Result
Many companies that rely on certificate authentication for web site authentication are running into problems with Windows Vista as the enrollment process appears to work as it had before, but when navigating to the site no certificate is found. This means that you will see the normal “Choose a Digital Certificate” popup on the site, but the box is blank and no certificates are listed. This is further confusing as valid certificates appear in the certificate store on the local machine.
The problem arises in the default certificate type that is requested by Windows Vista, Windows 7 and Server 2008. Instead of the Base or Enhanced Cryptographic Provider, Windows Vista chooses another option. This is especially confusing if you are using the basic enrollment pages or even custom skinned pages as you will not see the advanced options that Vista is changing by default. Once these are changed as below, you will be able to use the certificate for user authentication as you’d expect.
- Navigate to the normal certsrv page on your CA
- On the initial Welcome page of the Certificate server, click Request a certificate, and then click Next
- On the Choose Request Type page, click Advanced request, and then click Next
- On the Advanced Certificate Requests page, click Submit a certificate request to this CA using a form, and then click Next
- On the Advanced Certificate Request page, complete the requesting information, as appropriate
- Under Type of certificate Needed , click Client Authentication Certificate
- Under Key Options , select Microsoft Base Cryptographic Provider v1.0, click Signature for Key Usage , and then enter 1024 for Key Size
- Leave the Create new key set option selected (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store
- Leave all the other options set to the default value unless you have to make a specific change
- Click Submit . If the Certificate Authority is configured to issue certificates automatically, the Certificate Issued page appears
- Click Install this Certificate. The Certificate Installed page appears with the following message: “Your new certificate has been successfully installed.”