Redirecting Windows 2003 CA Enrollment Site to HTTPS

We have an internal Microsoft Windows 2003 CA server running to handle certificates for our VPN users. The site was configured to require SSL to access the enrollment page and a certificate is installed on the server.

This was working fine but suddenly we are having a problem where the redirection is not working. If I enter https://servername/certsrv I get a page cannot be displayed. If I enter http://servername/certsrv I get a message that secure communications is required.

I've verified that the certificate is valid and don't see anything wrong with the configuration. There are no messages in the event or IIS logs.

Where else can I look to get this resolved?

Who is Participating?
arnoldConnect With a Mentor Commented:
Require 128 means the connection will have to be 128 bit, but as long as the require secure channel is check only https: type of access will be granted.
If the ignore client certificate is not select but something else a connection from a user that does not present a client certificate will not be permitted to access. My guess is that the setup was done such that the initial certificate is provided by the admin and then the user after importing the ID certificate into the browser they can then renew their certificates remotely.

double check the Certificate on the IIS web site for https://servername to make sure it is valid.
Take out the requre SSL under the web site's configuration which will allow you to access it without ssl and if it does not work either, you may have a configuarion issue i.e. the wrong .NET framework is applied to this virtual site.
snowmizerAuthor Commented:
The certificate on the IIS website is valid. If I remove the SSL requirement I can access the enrollment page (but can't run this without SSL).
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

DarinTCHSenior CyberSecurity EngineerCommented:
what if you manually install the cert locally?
do you still get the error?
do you attempt to convert requests to the http to automagicallly switch to https?

ps you have restarted IIS right?
Check whether you have a requirement for certenroll and/or certcontrol which could explain why when accessing without https you are having an issue if any request/fulfillment is redirected there and it requires an SSL connection.
Enable logging on the virtual site and see what errors if any are reported there.
The .NET framework should be 1.1.4322.
snowmizerAuthor Commented:
Yeah I have restarted IIS. Certsrv, certenroll and certcontrol all have requirements for SSL. The version of .NET framework running on all is 1.1.4322. The cert on the sites is a verisign site specifically for the domain name we use to allow remote users to access the enrollment site.

I don't have anything in place to automatically switch from http to hpps if the users enter http://servername/certsrv but I would like to have this. How can you go about doing this with CA sites? Would it be similar to how you do OWA (create a redirect page and set the 403.4 error redirect page to my new redirect page)?

We applied the newest round of Windows updates this morning. I'm wondering if this maybe caused an issue since this was working last week and no changes have been made.
The SSL requirement within IIS is what generates the notice when a non-SSL connection is made.
IIS properties of the virtual directory, Directory Security, hit edit under the secure communications option. There you will see at the top the check box for require Secure Channel (SSL).

Double check wheter your settings require that the client accessing the https://servername/certsrv must present a valid client certificate within the same location as above. Require client certificates, etc.
snowmizerAuthor Commented:
The check box to require SSL is checked, require 128-bit isn't checked, ignore client certificates is not checked. This is the configuration in all three locations (certenroll, certcontrol, and certsrv) plus the default web site.
snowmizerAuthor Commented:
I built a new 2003 server on our test network, restored the CA database and re-installed the cert. After doing this my site works so it looks like it's something on my server itself. I tried matching up settings from the new server and the production server. Everything matches but the cert on the prod server still doesn't work.

We're going to just build a new 2008 server and restore the CA on the new server.

Thanks everyone for the replies.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.