Solved

Weird problem with Win2k Certificate Services

Posted on 2004-09-27
6
640 Views
Last Modified: 2012-06-22
I'm trying to issue a new certificate from an CA internal to our network for a development website.  I follow all the normal steps generating a CSR through the ISM, submitting the CSR to the CA, issuing the certificate, and then downloading the .cer file.  The problem is that when I download the .cer file, it contains code and not the certificate.  By code I mean VB.  Has anybody run into this before?  I've verified that ASP is functioning normally on the server.  The code in the .cer file is below:

<%@ CODEPAGE=65001 'UTF-8%>
<%' certnew.cer - (CERT)srv web - return a (NEW) certificate
  ' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<!-- #include FILE=certdat.inc -->
<!-- #include FILE=certsrck.inc -->
<%  ' ########## BEGIN SERVER SIDE EXECUTION ##########

      'Process a Certificate Request

      Dim nDisposition, nResult, sCert, sErrMsg, nEncoding
      On Error Resume Next

      ' from \nt\public\sdk\inc\certcli.h
      Const CR_OUT_BASE64HEADER=&H00000000
      Const CR_OUT_BASE64=&H00000001
      Const CR_OUT_BINARY=&H00000002
      Const CR_OUT_CHAIN=&H00000100
      
      'Disposition code ref: \nt\public\sdk\inc\certcli.h
      Const CR_DISP_INCOMPLETE        =0
      Const CR_DISP_ERROR             =1
      Const CR_DISP_DENIED            =2
      Const CR_DISP_ISSUED            =3
      Const CR_DISP_ISSUED_OUT_OF_BAND=4
      Const CR_DISP_UNDER_SUBMISSION  =5
      Const CR_DISP_REVOKED           =6
      Const no_disp=-1

      Const GETCERT_CACERTBYINDEX=&H63740000 ' + 0 based index
      Const GETCERT_CRLBYINDEX=&H636C0000 ' + 0 based index

      'Stop 'debugging breakpoint
      
      ' determine the requested encoding
      If "bin"=Request.QueryString("Enc") Then
            nEncoding=CR_OUT_BINARY
      Else '"b64"=Request.QueryString("Enc")
            nEncoding=CR_OUT_BASE64HEADER
      End If

      ' create the object to do the request
      Set Session("ICertRequest")=Server.CreateObject("CertificateAuthority.Request")
      Set ICertRequest=Session("ICertRequest")
      nDisposition=no_disp

      Err.Clear 'make sure we catch the HRESULT and not some earlier error
      
      If "CACert"=Request.QueryString("ReqID") Then
            ' get the CA cert
            sCert=ICertRequest.GetCACertificate(GETCERT_CACERTBYINDEX+Request.QueryString("Renewal"), sServerConfig, nEncoding)
            nResult=Err.Number
            sErrMsg=Err.Description

            If 0<>nResult Then
                  'internal redirect - transfer control to error page
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If

      Else
            ' Fetch the user's cert
            nDisposition=ICertRequest.RetrievePending(Request.QueryString("ReqID"), sServerConfig)
            nResult=Err.number
            sErrMsg=Err.Description
            
            If nDisposition=CR_DISP_ISSUED Then
                  ' Remove this request from the user's cookie
                  RemoveReq(Request.QueryString("ReqID"))

                  sCert=ICertRequest.GetCertificate(nEncoding)
            Else
                  'internal redirect - transfer control to error page
                  Session("nDisposition")=nDisposition
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If
      End If

      ' Netscape automagically installs anything that is "x-x509-***-cert",
      ' so pick MIME type depending upon what we want the browser to do.
      ' (IE treats all types the same)
      If "inst"=Request.QueryString("Mode") Then
            ' We want Netscape to install
            If "CACert"=Request.QueryString("ReqID") Then
                  ' Netscape installs this type and does not expect to have a private key
                  Response.ContentType="application/x-x509-ca-cert"
            Else
                  ' Netscape installs this type and expects to have a private key
                  Response.ContentType="application/x-x509-user-cert"
            End If

      Else
            ' We don't wan't Netscape to install
            Response.ContentType="application/pkix-cert" ' Netscape does not install this type
      End If

      ' send the cert to the client
      Response.Clear 'guarantee no extraneous bytes
      If CR_OUT_BINARY=nEncoding Then
            Response.BinaryWrite(sCert)
      Else
            Response.Write(sCert)
      End If
      
      ' ########## END SERVER SIDE EXECUTION ##########
%>
0
Comment
Question by:jonbigelow
  • 3
6 Comments
 

Author Comment

by:jonbigelow
ID: 12165027
Wow, I must have a pretty tough problem...  Goodie....
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12168486
Not seen it, but the code looks like it is the code that actually requests a cert from the CA. Has the cert actually been issued - in Certificate Management, does it appear in the list of issued certs?
0
 

Author Comment

by:jonbigelow
ID: 12170581
Yeah, the CA is setup to automatically issue the certs without me having to approve them.  I just changed that yesterday while troubleshooting this so I was having the same problem before when I was manually issuing the certs.  But to answer your question, yes I can verify that the certs are shown as having been issued.
0
 

Author Comment

by:jonbigelow
ID: 12170931
Ok, so just on a hunch I added .cer as an extension to get processed by asp.dll and it worked fine.  Whack.  Don't know how that changed....
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 12208263
PAQed, with points refunded (250)

Computer101
E-E Admin
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Protect postfix server against DDos / Dos attacks 7 36
Local User Account Group Policy 8 43
Admin account lockout 10 41
Review of apps API SSL Cert policy 2 22
The 21st century solution to antiquated pagers.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question