Solved

Weird problem with Win2k Certificate Services

Posted on 2004-09-27
6
628 Views
Last Modified: 2012-06-22
I'm trying to issue a new certificate from an CA internal to our network for a development website.  I follow all the normal steps generating a CSR through the ISM, submitting the CSR to the CA, issuing the certificate, and then downloading the .cer file.  The problem is that when I download the .cer file, it contains code and not the certificate.  By code I mean VB.  Has anybody run into this before?  I've verified that ASP is functioning normally on the server.  The code in the .cer file is below:

<%@ CODEPAGE=65001 'UTF-8%>
<%' certnew.cer - (CERT)srv web - return a (NEW) certificate
  ' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<!-- #include FILE=certdat.inc -->
<!-- #include FILE=certsrck.inc -->
<%  ' ########## BEGIN SERVER SIDE EXECUTION ##########

      'Process a Certificate Request

      Dim nDisposition, nResult, sCert, sErrMsg, nEncoding
      On Error Resume Next

      ' from \nt\public\sdk\inc\certcli.h
      Const CR_OUT_BASE64HEADER=&H00000000
      Const CR_OUT_BASE64=&H00000001
      Const CR_OUT_BINARY=&H00000002
      Const CR_OUT_CHAIN=&H00000100
      
      'Disposition code ref: \nt\public\sdk\inc\certcli.h
      Const CR_DISP_INCOMPLETE        =0
      Const CR_DISP_ERROR             =1
      Const CR_DISP_DENIED            =2
      Const CR_DISP_ISSUED            =3
      Const CR_DISP_ISSUED_OUT_OF_BAND=4
      Const CR_DISP_UNDER_SUBMISSION  =5
      Const CR_DISP_REVOKED           =6
      Const no_disp=-1

      Const GETCERT_CACERTBYINDEX=&H63740000 ' + 0 based index
      Const GETCERT_CRLBYINDEX=&H636C0000 ' + 0 based index

      'Stop 'debugging breakpoint
      
      ' determine the requested encoding
      If "bin"=Request.QueryString("Enc") Then
            nEncoding=CR_OUT_BINARY
      Else '"b64"=Request.QueryString("Enc")
            nEncoding=CR_OUT_BASE64HEADER
      End If

      ' create the object to do the request
      Set Session("ICertRequest")=Server.CreateObject("CertificateAuthority.Request")
      Set ICertRequest=Session("ICertRequest")
      nDisposition=no_disp

      Err.Clear 'make sure we catch the HRESULT and not some earlier error
      
      If "CACert"=Request.QueryString("ReqID") Then
            ' get the CA cert
            sCert=ICertRequest.GetCACertificate(GETCERT_CACERTBYINDEX+Request.QueryString("Renewal"), sServerConfig, nEncoding)
            nResult=Err.Number
            sErrMsg=Err.Description

            If 0<>nResult Then
                  'internal redirect - transfer control to error page
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If

      Else
            ' Fetch the user's cert
            nDisposition=ICertRequest.RetrievePending(Request.QueryString("ReqID"), sServerConfig)
            nResult=Err.number
            sErrMsg=Err.Description
            
            If nDisposition=CR_DISP_ISSUED Then
                  ' Remove this request from the user's cookie
                  RemoveReq(Request.QueryString("ReqID"))

                  sCert=ICertRequest.GetCertificate(nEncoding)
            Else
                  'internal redirect - transfer control to error page
                  Session("nDisposition")=nDisposition
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If
      End If

      ' Netscape automagically installs anything that is "x-x509-***-cert",
      ' so pick MIME type depending upon what we want the browser to do.
      ' (IE treats all types the same)
      If "inst"=Request.QueryString("Mode") Then
            ' We want Netscape to install
            If "CACert"=Request.QueryString("ReqID") Then
                  ' Netscape installs this type and does not expect to have a private key
                  Response.ContentType="application/x-x509-ca-cert"
            Else
                  ' Netscape installs this type and expects to have a private key
                  Response.ContentType="application/x-x509-user-cert"
            End If

      Else
            ' We don't wan't Netscape to install
            Response.ContentType="application/pkix-cert" ' Netscape does not install this type
      End If

      ' send the cert to the client
      Response.Clear 'guarantee no extraneous bytes
      If CR_OUT_BINARY=nEncoding Then
            Response.BinaryWrite(sCert)
      Else
            Response.Write(sCert)
      End If
      
      ' ########## END SERVER SIDE EXECUTION ##########
%>
0
Comment
Question by:jonbigelow
  • 3
6 Comments
 

Author Comment

by:jonbigelow
ID: 12165027
Wow, I must have a pretty tough problem...  Goodie....
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12168486
Not seen it, but the code looks like it is the code that actually requests a cert from the CA. Has the cert actually been issued - in Certificate Management, does it appear in the list of issued certs?
0
 

Author Comment

by:jonbigelow
ID: 12170581
Yeah, the CA is setup to automatically issue the certs without me having to approve them.  I just changed that yesterday while troubleshooting this so I was having the same problem before when I was manually issuing the certs.  But to answer your question, yes I can verify that the certs are shown as having been issued.
0
 

Author Comment

by:jonbigelow
ID: 12170931
Ok, so just on a hunch I added .cer as an extension to get processed by asp.dll and it worked fine.  Whack.  Don't know how that changed....
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
ID: 12208263
PAQed, with points refunded (250)

Computer101
E-E Admin
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now