[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Problem installing a certificate from Certificate Server on Windows 2000

Posted on 2004-11-24
Medium Priority
Last Modified: 2013-12-04
Hello experts,

I'm having a problem obtaining a certificate from a CA running Certificate Services on a Windows 2000 box. Certificate Services has been installed as a stand alone root CA.

My ultimate goal is to encrypt SQL Server traffic. To that end, I'm following the directions found here: http://support.microsoft.com/default.aspx?scid=276553 

To summerize, this document assumes you have a Certificate Server already installed and running. First, you open http://CertServerName/certsrv/ and request a certificate. Once you have it installed, you verify that it is installed using the Certificates snap in for the MMC.

I've followed the directions to request the certificate. I've also figured out that, because my certificate server is installed as a stand alone server instead of an enterprise server, I need to go to Start --> Programs --> Administrative Tools --> Certification Authority, find the certificate, and Issue it. When I go back to http://CertServerName/certsrv/, find the certificate, and click "Install this certificate", it says the certificate was installed successfully.

But here's my problem: when I go to verify that the certificate exists using MMC, it isn't there. From the documentation above: "Your installed certificates are located in the Certificates folder in the Personal container."  But the Personal container is empty. There are no installed certificates.

Any ideas what is going on here? Am I missing any important relevant information?

Thanks for your help,

Question by:ckilian

Author Comment

ID: 12670240
After hours of beating my head against a wall, for repeated and multiple issues, I finally figured it out.

The problem was the instructions I was following. They made several assumptions without explaining that there were assumptions being made. And finally, for the problem I wrote you about, they were just plain wrong. They missed a step.

First, I tried following these instructions (http://support.microsoft.com/kb/316898/EN-US), which assume that you have a certificate server set up on your network without ever explicitly saying that. If you don't have a certificate server (also called a Certificate Authority, or CA) already set up, you'll get "Windows cannot find a certification authority to process the request." If you google search that error, you're likely to come across an MSDN article (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q271861) that suggests that you need to change some rights on your domain controller, but never mentions that you could be getting that error because you actually don't have a certificate server set up at all. It also doesn't mention that the article applies to Certificate Services. It actually doesn't mention anything whatsoever about certificate services, even though certificate services is an integral to making those instructions have any effect whatsoever.

Furthermore, the first set of instructions are assuming not only that you have a certificate server set up, but also that the certificate server is set up in Enterprise mode, even though you can also install Certificate Server in Stand Alone mode. If you do happen to have a certifiate server set up already, but it is installed in stand alone mode, the instructions using MMC simply will not work. You have to go through a website being run from the certificate services computer instead.

Which is yet ANOTHER thing they never mention: Certificate Services requires IIS. Fortunately, I already had IIS installed. Unfortunately, I would've assigned IP addresses differently and installed things in a different order had I known that ahead of time, but it turned out that it wasn't a big deal and I could work around it.

Second, I tried following these instructions (http://support.microsoft.com/default.aspx?scid=276553), which assume less but still assume a lot. For one thing, it still assumes you've set up your certificate server in Enterprise mode. From that page:

7. Leave all other items as the default. Click Submit.
8. The last page presents you with a Certificate to Install hyperlink. Click Install this certificate.

Well guess what? If you click submit as per #7, and your certificate server is configured in stand alone mode, you don't get a link to install. Instead it tells you to check back in a few days. Then you have to go to the certificate server, fire up Certificate Services, right click on the certificate request, and choose Issue. THEN you go back to http://certserver/certsrv/ and choose to view the status of your pending requests. THEN you can click install.

Of course, EVEN IF you do that, it won't work. Because instruction #7 above was wrong. You shouldn't leave all the other items as default. You should also check "Use local certificate store" -- which you must have administrator rights to use. If you don't check that box, the certificate doesn't show up in the MMC Certificates screen, because it is installed into IE's certificate store instead of being installed into the computer's certificate store.

That's right. The problem that I initially wrote about was happening because the instructions had it installing the certificate into IE instead of into the computer-wide certificate store.

But until I figured that out, I spent several frustrating hours reading my documentation. Specifically:

"To verify that your certificate installation is correct, use either the MMC Certificate snap-in to verify the certificates or use the CertUtil.exe tool that is installed on the certificate server to list the certificates. To load the MMC Certificate snap-in, follow these steps ... " 

I followed those steps, and the certificate wasn't there (because of faulty instructions, but I've covered that). So there was something wrong. Obviously, the author of the instructions foresaw the very real possibility that something might go wrong, or else s/he wouldn't have left instructions on how to verify that everything had worked. But doesn't it make sense that if you think something might go wrong, you should leave instructions on how to fix anything that goes wrong? Perhaps links to other documents, for example. But no. Basically, the document reads:

1. Follow this series of complicated steps.
2. Verify that the steps worked. If they didn't, uh ... Hey look! A bird!
3. So now that everything worked...

I've been working on this problem for days, and the reality is I could've had it done in hours if I'd had decent documentation. I also could've estimated my time better.

I'm hoping that Experts Exchange can leave this answer up, because this post has a lot of information in one place that apparently exists only in scattered form elsewhere on the Internet.  Hopefully I can help someone by having all the errors and corrections to faulty documentation in one place.

Expert Comment

ID: 12673279
Very nice summary. As I'm about to do something similar its well-timed to. Well done.

Can you award yourself the points !? :-D

Expert Comment

ID: 12712011
If it's any consolation, I've alerted the folks responsible for those KB articles that they should consult your response here, and clarify the articles in question.

Accepted Solution

modulo earned 0 total points
ID: 14114464
PAQed with points refunded (500)

Community Support Moderator

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question