jonbigelow
asked on
Weird problem with Win2k Certificate Services
I'm trying to issue a new certificate from an CA internal to our network for a development website. I follow all the normal steps generating a CSR through the ISM, submitting the CSR to the CA, issuing the certificate, and then downloading the .cer file. The problem is that when I download the .cer file, it contains code and not the certificate. By code I mean VB. Has anybody run into this before? I've verified that ASP is functioning normally on the server. The code in the .cer file is below:
<%@ CODEPAGE=65001 'UTF-8%>
<%' certnew.cer - (CERT)srv web - return a (NEW) certificate
' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<!-- #include FILE=certdat.inc -->
<!-- #include FILE=certsrck.inc -->
<% ' ########## BEGIN SERVER SIDE EXECUTION ##########
'Process a Certificate Request
Dim nDisposition, nResult, sCert, sErrMsg, nEncoding
On Error Resume Next
' from \nt\public\sdk\inc\certcli .h
Const CR_OUT_BASE64HEADER=&H0000 0000
Const CR_OUT_BASE64=&H00000001
Const CR_OUT_BINARY=&H00000002
Const CR_OUT_CHAIN=&H00000100
'Disposition code ref: \nt\public\sdk\inc\certcli .h
Const CR_DISP_INCOMPLETE =0
Const CR_DISP_ERROR =1
Const CR_DISP_DENIED =2
Const CR_DISP_ISSUED =3
Const CR_DISP_ISSUED_OUT_OF_BAND =4
Const CR_DISP_UNDER_SUBMISSION =5
Const CR_DISP_REVOKED =6
Const no_disp=-1
Const GETCERT_CACERTBYINDEX=&H63 740000 ' + 0 based index
Const GETCERT_CRLBYINDEX=&H636C0 000 ' + 0 based index
'Stop 'debugging breakpoint
' determine the requested encoding
If "bin"=Request.QueryString( "Enc") Then
nEncoding=CR_OUT_BINARY
Else '"b64"=Request.QueryString ("Enc")
nEncoding=CR_OUT_BASE64HEA DER
End If
' create the object to do the request
Set Session("ICertRequest")=Se rver.Creat eObject("C ertificate Authority. Request")
Set ICertRequest=Session("ICer tRequest")
nDisposition=no_disp
Err.Clear 'make sure we catch the HRESULT and not some earlier error
If "CACert"=Request.QueryStri ng("ReqID" ) Then
' get the CA cert
sCert=ICertRequest.GetCACe rtificate( GETCERT_CA CERTBYINDE X+Request. QueryStrin g("Renewal "), sServerConfig, nEncoding)
nResult=Err.Number
sErrMsg=Err.Description
If 0<>nResult Then
'internal redirect - transfer control to error page
Session("nResult")=nResult
Session("sErrMsg")=sErrMsg
Server.Transfer("certrser. asp")
End If
Else
' Fetch the user's cert
nDisposition=ICertRequest. RetrievePe nding(Requ est.QueryS tring("Req ID"), sServerConfig)
nResult=Err.number
sErrMsg=Err.Description
If nDisposition=CR_DISP_ISSUE D Then
' Remove this request from the user's cookie
RemoveReq(Request.QueryStr ing("ReqID "))
sCert=ICertRequest.GetCert ificate(nE ncoding)
Else
'internal redirect - transfer control to error page
Session("nDisposition")=nD isposition
Session("nResult")=nResult
Session("sErrMsg")=sErrMsg
Server.Transfer("certrser. asp")
End If
End If
' Netscape automagically installs anything that is "x-x509-***-cert",
' so pick MIME type depending upon what we want the browser to do.
' (IE treats all types the same)
If "inst"=Request.QueryString ("Mode") Then
' We want Netscape to install
If "CACert"=Request.QueryStri ng("ReqID" ) Then
' Netscape installs this type and does not expect to have a private key
Response.ContentType="appl ication/x- x509-ca-ce rt"
Else
' Netscape installs this type and expects to have a private key
Response.ContentType="appl ication/x- x509-user- cert"
End If
Else
' We don't wan't Netscape to install
Response.ContentType="appl ication/pk ix-cert" ' Netscape does not install this type
End If
' send the cert to the client
Response.Clear 'guarantee no extraneous bytes
If CR_OUT_BINARY=nEncoding Then
Response.BinaryWrite(sCert )
Else
Response.Write(sCert)
End If
' ########## END SERVER SIDE EXECUTION ##########
%>
<%@ CODEPAGE=65001 'UTF-8%>
<%' certnew.cer - (CERT)srv web - return a (NEW) certificate
' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<!-- #include FILE=certdat.inc -->
<!-- #include FILE=certsrck.inc -->
<% ' ########## BEGIN SERVER SIDE EXECUTION ##########
'Process a Certificate Request
Dim nDisposition, nResult, sCert, sErrMsg, nEncoding
On Error Resume Next
' from \nt\public\sdk\inc\certcli
Const CR_OUT_BASE64HEADER=&H0000
Const CR_OUT_BASE64=&H00000001
Const CR_OUT_BINARY=&H00000002
Const CR_OUT_CHAIN=&H00000100
'Disposition code ref: \nt\public\sdk\inc\certcli
Const CR_DISP_INCOMPLETE =0
Const CR_DISP_ERROR =1
Const CR_DISP_DENIED =2
Const CR_DISP_ISSUED =3
Const CR_DISP_ISSUED_OUT_OF_BAND
Const CR_DISP_UNDER_SUBMISSION =5
Const CR_DISP_REVOKED =6
Const no_disp=-1
Const GETCERT_CACERTBYINDEX=&H63
Const GETCERT_CRLBYINDEX=&H636C0
'Stop 'debugging breakpoint
' determine the requested encoding
If "bin"=Request.QueryString(
nEncoding=CR_OUT_BINARY
Else '"b64"=Request.QueryString
nEncoding=CR_OUT_BASE64HEA
End If
' create the object to do the request
Set Session("ICertRequest")=Se
Set ICertRequest=Session("ICer
nDisposition=no_disp
Err.Clear 'make sure we catch the HRESULT and not some earlier error
If "CACert"=Request.QueryStri
' get the CA cert
sCert=ICertRequest.GetCACe
nResult=Err.Number
sErrMsg=Err.Description
If 0<>nResult Then
'internal redirect - transfer control to error page
Session("nResult")=nResult
Session("sErrMsg")=sErrMsg
Server.Transfer("certrser.
End If
Else
' Fetch the user's cert
nDisposition=ICertRequest.
nResult=Err.number
sErrMsg=Err.Description
If nDisposition=CR_DISP_ISSUE
' Remove this request from the user's cookie
RemoveReq(Request.QueryStr
sCert=ICertRequest.GetCert
Else
'internal redirect - transfer control to error page
Session("nDisposition")=nD
Session("nResult")=nResult
Session("sErrMsg")=sErrMsg
Server.Transfer("certrser.
End If
End If
' Netscape automagically installs anything that is "x-x509-***-cert",
' so pick MIME type depending upon what we want the browser to do.
' (IE treats all types the same)
If "inst"=Request.QueryString
' We want Netscape to install
If "CACert"=Request.QueryStri
' Netscape installs this type and does not expect to have a private key
Response.ContentType="appl
Else
' Netscape installs this type and expects to have a private key
Response.ContentType="appl
End If
Else
' We don't wan't Netscape to install
Response.ContentType="appl
End If
' send the cert to the client
Response.Clear 'guarantee no extraneous bytes
If CR_OUT_BINARY=nEncoding Then
Response.BinaryWrite(sCert
Else
Response.Write(sCert)
End If
' ########## END SERVER SIDE EXECUTION ##########
%>
Not seen it, but the code looks like it is the code that actually requests a cert from the CA. Has the cert actually been issued - in Certificate Management, does it appear in the list of issued certs?
ASKER
Yeah, the CA is setup to automatically issue the certs without me having to approve them. I just changed that yesterday while troubleshooting this so I was having the same problem before when I was manually issuing the certs. But to answer your question, yes I can verify that the certs are shown as having been issued.
ASKER
Ok, so just on a hunch I added .cer as an extension to get processed by asp.dll and it worked fine. Whack. Don't know how that changed....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER