Solved

Weird problem with Win2k Certificate Services

Posted on 2004-09-27
6
655 Views
Last Modified: 2012-06-22
I'm trying to issue a new certificate from an CA internal to our network for a development website.  I follow all the normal steps generating a CSR through the ISM, submitting the CSR to the CA, issuing the certificate, and then downloading the .cer file.  The problem is that when I download the .cer file, it contains code and not the certificate.  By code I mean VB.  Has anybody run into this before?  I've verified that ASP is functioning normally on the server.  The code in the .cer file is below:

<%@ CODEPAGE=65001 'UTF-8%>
<%' certnew.cer - (CERT)srv web - return a (NEW) certificate
  ' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<!-- #include FILE=certdat.inc -->
<!-- #include FILE=certsrck.inc -->
<%  ' ########## BEGIN SERVER SIDE EXECUTION ##########

      'Process a Certificate Request

      Dim nDisposition, nResult, sCert, sErrMsg, nEncoding
      On Error Resume Next

      ' from \nt\public\sdk\inc\certcli.h
      Const CR_OUT_BASE64HEADER=&H00000000
      Const CR_OUT_BASE64=&H00000001
      Const CR_OUT_BINARY=&H00000002
      Const CR_OUT_CHAIN=&H00000100
      
      'Disposition code ref: \nt\public\sdk\inc\certcli.h
      Const CR_DISP_INCOMPLETE        =0
      Const CR_DISP_ERROR             =1
      Const CR_DISP_DENIED            =2
      Const CR_DISP_ISSUED            =3
      Const CR_DISP_ISSUED_OUT_OF_BAND=4
      Const CR_DISP_UNDER_SUBMISSION  =5
      Const CR_DISP_REVOKED           =6
      Const no_disp=-1

      Const GETCERT_CACERTBYINDEX=&H63740000 ' + 0 based index
      Const GETCERT_CRLBYINDEX=&H636C0000 ' + 0 based index

      'Stop 'debugging breakpoint
      
      ' determine the requested encoding
      If "bin"=Request.QueryString("Enc") Then
            nEncoding=CR_OUT_BINARY
      Else '"b64"=Request.QueryString("Enc")
            nEncoding=CR_OUT_BASE64HEADER
      End If

      ' create the object to do the request
      Set Session("ICertRequest")=Server.CreateObject("CertificateAuthority.Request")
      Set ICertRequest=Session("ICertRequest")
      nDisposition=no_disp

      Err.Clear 'make sure we catch the HRESULT and not some earlier error
      
      If "CACert"=Request.QueryString("ReqID") Then
            ' get the CA cert
            sCert=ICertRequest.GetCACertificate(GETCERT_CACERTBYINDEX+Request.QueryString("Renewal"), sServerConfig, nEncoding)
            nResult=Err.Number
            sErrMsg=Err.Description

            If 0<>nResult Then
                  'internal redirect - transfer control to error page
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If

      Else
            ' Fetch the user's cert
            nDisposition=ICertRequest.RetrievePending(Request.QueryString("ReqID"), sServerConfig)
            nResult=Err.number
            sErrMsg=Err.Description
            
            If nDisposition=CR_DISP_ISSUED Then
                  ' Remove this request from the user's cookie
                  RemoveReq(Request.QueryString("ReqID"))

                  sCert=ICertRequest.GetCertificate(nEncoding)
            Else
                  'internal redirect - transfer control to error page
                  Session("nDisposition")=nDisposition
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If
      End If

      ' Netscape automagically installs anything that is "x-x509-***-cert",
      ' so pick MIME type depending upon what we want the browser to do.
      ' (IE treats all types the same)
      If "inst"=Request.QueryString("Mode") Then
            ' We want Netscape to install
            If "CACert"=Request.QueryString("ReqID") Then
                  ' Netscape installs this type and does not expect to have a private key
                  Response.ContentType="application/x-x509-ca-cert"
            Else
                  ' Netscape installs this type and expects to have a private key
                  Response.ContentType="application/x-x509-user-cert"
            End If

      Else
            ' We don't wan't Netscape to install
            Response.ContentType="application/pkix-cert" ' Netscape does not install this type
      End If

      ' send the cert to the client
      Response.Clear 'guarantee no extraneous bytes
      If CR_OUT_BINARY=nEncoding Then
            Response.BinaryWrite(sCert)
      Else
            Response.Write(sCert)
      End If
      
      ' ########## END SERVER SIDE EXECUTION ##########
%>
0
Comment
Question by:jonbigelow
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
6 Comments
 

Author Comment

by:jonbigelow
ID: 12165027
Wow, I must have a pretty tough problem...  Goodie....
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12168486
Not seen it, but the code looks like it is the code that actually requests a cert from the CA. Has the cert actually been issued - in Certificate Management, does it appear in the list of issued certs?
0
 

Author Comment

by:jonbigelow
ID: 12170581
Yeah, the CA is setup to automatically issue the certs without me having to approve them.  I just changed that yesterday while troubleshooting this so I was having the same problem before when I was manually issuing the certs.  But to answer your question, yes I can verify that the certs are shown as having been issued.
0
 

Author Comment

by:jonbigelow
ID: 12170931
Ok, so just on a hunch I added .cer as an extension to get processed by asp.dll and it worked fine.  Whack.  Don't know how that changed....
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 12208263
PAQed, with points refunded (250)

Computer101
E-E Admin
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question