Link to home
Start Free TrialLog in
Avatar of jonbigelow
jonbigelow

asked on

Weird problem with Win2k Certificate Services

I'm trying to issue a new certificate from an CA internal to our network for a development website.  I follow all the normal steps generating a CSR through the ISM, submitting the CSR to the CA, issuing the certificate, and then downloading the .cer file.  The problem is that when I download the .cer file, it contains code and not the certificate.  By code I mean VB.  Has anybody run into this before?  I've verified that ASP is functioning normally on the server.  The code in the .cer file is below:

<%@ CODEPAGE=65001 'UTF-8%>
<%' certnew.cer - (CERT)srv web - return a (NEW) certificate
  ' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
<!-- #include FILE=certdat.inc -->
<!-- #include FILE=certsrck.inc -->
<%  ' ########## BEGIN SERVER SIDE EXECUTION ##########

      'Process a Certificate Request

      Dim nDisposition, nResult, sCert, sErrMsg, nEncoding
      On Error Resume Next

      ' from \nt\public\sdk\inc\certcli.h
      Const CR_OUT_BASE64HEADER=&H00000000
      Const CR_OUT_BASE64=&H00000001
      Const CR_OUT_BINARY=&H00000002
      Const CR_OUT_CHAIN=&H00000100
      
      'Disposition code ref: \nt\public\sdk\inc\certcli.h
      Const CR_DISP_INCOMPLETE        =0
      Const CR_DISP_ERROR             =1
      Const CR_DISP_DENIED            =2
      Const CR_DISP_ISSUED            =3
      Const CR_DISP_ISSUED_OUT_OF_BAND=4
      Const CR_DISP_UNDER_SUBMISSION  =5
      Const CR_DISP_REVOKED           =6
      Const no_disp=-1

      Const GETCERT_CACERTBYINDEX=&H63740000 ' + 0 based index
      Const GETCERT_CRLBYINDEX=&H636C0000 ' + 0 based index

      'Stop 'debugging breakpoint
      
      ' determine the requested encoding
      If "bin"=Request.QueryString("Enc") Then
            nEncoding=CR_OUT_BINARY
      Else '"b64"=Request.QueryString("Enc")
            nEncoding=CR_OUT_BASE64HEADER
      End If

      ' create the object to do the request
      Set Session("ICertRequest")=Server.CreateObject("CertificateAuthority.Request")
      Set ICertRequest=Session("ICertRequest")
      nDisposition=no_disp

      Err.Clear 'make sure we catch the HRESULT and not some earlier error
      
      If "CACert"=Request.QueryString("ReqID") Then
            ' get the CA cert
            sCert=ICertRequest.GetCACertificate(GETCERT_CACERTBYINDEX+Request.QueryString("Renewal"), sServerConfig, nEncoding)
            nResult=Err.Number
            sErrMsg=Err.Description

            If 0<>nResult Then
                  'internal redirect - transfer control to error page
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If

      Else
            ' Fetch the user's cert
            nDisposition=ICertRequest.RetrievePending(Request.QueryString("ReqID"), sServerConfig)
            nResult=Err.number
            sErrMsg=Err.Description
            
            If nDisposition=CR_DISP_ISSUED Then
                  ' Remove this request from the user's cookie
                  RemoveReq(Request.QueryString("ReqID"))

                  sCert=ICertRequest.GetCertificate(nEncoding)
            Else
                  'internal redirect - transfer control to error page
                  Session("nDisposition")=nDisposition
                  Session("nResult")=nResult
                  Session("sErrMsg")=sErrMsg
                  Server.Transfer("certrser.asp")
            End If
      End If

      ' Netscape automagically installs anything that is "x-x509-***-cert",
      ' so pick MIME type depending upon what we want the browser to do.
      ' (IE treats all types the same)
      If "inst"=Request.QueryString("Mode") Then
            ' We want Netscape to install
            If "CACert"=Request.QueryString("ReqID") Then
                  ' Netscape installs this type and does not expect to have a private key
                  Response.ContentType="application/x-x509-ca-cert"
            Else
                  ' Netscape installs this type and expects to have a private key
                  Response.ContentType="application/x-x509-user-cert"
            End If

      Else
            ' We don't wan't Netscape to install
            Response.ContentType="application/pkix-cert" ' Netscape does not install this type
      End If

      ' send the cert to the client
      Response.Clear 'guarantee no extraneous bytes
      If CR_OUT_BINARY=nEncoding Then
            Response.BinaryWrite(sCert)
      Else
            Response.Write(sCert)
      End If
      
      ' ########## END SERVER SIDE EXECUTION ##########
%>
Avatar of jonbigelow
jonbigelow

ASKER

Wow, I must have a pretty tough problem...  Goodie....
Avatar of swinterborn
swinterborn
Not seen it, but the code looks like it is the code that actually requests a cert from the CA. Has the cert actually been issued - in Certificate Management, does it appear in the list of issued certs?
Avatar of jonbigelow
jonbigelow

ASKER

Yeah, the CA is setup to automatically issue the certs without me having to approve them.  I just changed that yesterday while troubleshooting this so I was having the same problem before when I was manually issuing the certs.  But to answer your question, yes I can verify that the certs are shown as having been issued.
Avatar of jonbigelow
jonbigelow

ASKER

Ok, so just on a hunch I added .cer as an extension to get processed by asp.dll and it worked fine.  Whack.  Don't know how that changed....
ASKER CERTIFIED SOLUTION
Avatar of Computer101
Computer101
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial