Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 679
  • Last Modified:

Weird problem with Win2k Certificate Services

I'm trying to issue a new certificate from an CA internal to our network for a development website.  I follow all the normal steps generating a CSR through the ISM, submitting the CSR to the CA, issuing the certificate, and then downloading the .cer file.  The problem is that when I download the .cer file, it contains code and not the certificate.  By code I mean VB.  Has anybody run into this before?  I've verified that ASP is functioning normally on the server.  The code in the .cer file is below:

<%@ CODEPAGE=65001 'UTF-8%>
<%' certnew.cer - (CERT)srv web - return a (NEW) certificate
  ' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<!-- #include FILE=certdat.inc -->
<!-- #include FILE=certsrck.inc -->
<%  ' ########## BEGIN SERVER SIDE EXECUTION ##########

      'Process a Certificate Request

      Dim nDisposition, nResult, sCert, sErrMsg, nEncoding
      On Error Resume Next

      ' from \nt\public\sdk\inc\certcli.h
      Const CR_OUT_BASE64HEADER=&H00000000
      Const CR_OUT_BASE64=&H00000001
      Const CR_OUT_BINARY=&H00000002
      Const CR_OUT_CHAIN=&H00000100
      
      'Disposition code ref: \nt\public\sdk\inc\certcli.h
      Const CR_DISP_INCOMPLETE        =0
      Const CR_DISP_ERROR             =1
      Const CR_DISP_DENIED            =2
      Const CR_DISP_ISSUED            =3
      Const CR_DISP_ISSUED_OUT_OF_BAND=4
      Const CR_DISP_UNDER_SUBMISSION  =5
      Const CR_DISP_REVOKED           =6
      Const no_disp=-1

      Const GETCERT_CACERTBYINDEX=&H63740000 ' + 0 based index
      Const GETCERT_CRLBYINDEX=&H636C0000 ' + 0 based index

      'Stop 'debugging breakpoint
      
      ' determine the requested encoding
      If "bin"=Request.QueryString("Enc") Then
            nEncoding=CR_OUT_BINARY
      Else '"b64"=Request.QueryString("Enc")
            nEncoding=CR_OUT_BASE64HEADER
      End If

      ' create the object to do the request
      Set Session("ICertRequest")=Server.CreateObject("CertificateAuthority.Request")
      Set ICertRequest=Session("ICertRequest")
      nDisposition=no_disp

      Err.Clear 'make sure we catch the HRESULT and not some earlier error
      
      If "CACert"=Request.QueryString("ReqID") Then
            ' get the CA cert
            sCert=ICertRequest.GetCACertificate(GETCERT_CACERTBYINDEX+Request.QueryString("Renewal"), sServerConfig, nEncoding)
            nResult=Err.Number
            sErrMsg=Err.Description

            If 0<>nResult Then
                  'internal redirect - transfer control to error page
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If

      Else
            ' Fetch the user's cert
            nDisposition=ICertRequest.RetrievePending(Request.QueryString("ReqID"), sServerConfig)
            nResult=Err.number
            sErrMsg=Err.Description
            
            If nDisposition=CR_DISP_ISSUED Then
                  ' Remove this request from the user's cookie
                  RemoveReq(Request.QueryString("ReqID"))

                  sCert=ICertRequest.GetCertificate(nEncoding)
            Else
                  'internal redirect - transfer control to error page
                  Session("nDisposition")=nDisposition
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If
      End If

      ' Netscape automagically installs anything that is "x-x509-***-cert",
      ' so pick MIME type depending upon what we want the browser to do.
      ' (IE treats all types the same)
      If "inst"=Request.QueryString("Mode") Then
            ' We want Netscape to install
            If "CACert"=Request.QueryString("ReqID") Then
                  ' Netscape installs this type and does not expect to have a private key
                  Response.ContentType="application/x-x509-ca-cert"
            Else
                  ' Netscape installs this type and expects to have a private key
                  Response.ContentType="application/x-x509-user-cert"
            End If

      Else
            ' We don't wan't Netscape to install
            Response.ContentType="application/pkix-cert" ' Netscape does not install this type
      End If

      ' send the cert to the client
      Response.Clear 'guarantee no extraneous bytes
      If CR_OUT_BINARY=nEncoding Then
            Response.BinaryWrite(sCert)
      Else
            Response.Write(sCert)
      End If
      
      ' ########## END SERVER SIDE EXECUTION ##########
%>
0
jonbigelow
Asked:
jonbigelow
  • 3
1 Solution
 
jonbigelowAuthor Commented:
Wow, I must have a pretty tough problem...  Goodie....
0
 
swinterbornCommented:
Not seen it, but the code looks like it is the code that actually requests a cert from the CA. Has the cert actually been issued - in Certificate Management, does it appear in the list of issued certs?
0
 
jonbigelowAuthor Commented:
Yeah, the CA is setup to automatically issue the certs without me having to approve them.  I just changed that yesterday while troubleshooting this so I was having the same problem before when I was manually issuing the certs.  But to answer your question, yes I can verify that the certs are shown as having been issued.
0
 
jonbigelowAuthor Commented:
Ok, so just on a hunch I added .cer as an extension to get processed by asp.dll and it worked fine.  Whack.  Don't know how that changed....
0
 
Computer101Commented:
PAQed, with points refunded (250)

Computer101
E-E Admin
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now