The Certificate Web Enrollment component of Certificate Services is fairly helpful for allowing easy certificate request and enrollment from any computer.
It does require Internet Explorer because of an Active X control that runs on the page, but this is acceptable. It also needs to be connected to using HTTPS – which is also fine. Except when it isn’t. Or more accurately, reports that you are not connected via HTTPS when you in fact are.
The following error message appears when connecting to this page from Internet Explorer 11 on a Windows Server 2012 R2 member server or DC:
“In order to complete certificte enrollment, the Web site for the CA must be configured to use HTTPS authentication.”
Clearly, Internet Explorer was using HTTPS to communicate with this web site. Clicking OK on the error message and hoping to just ignore it wasn’t possible because most of the drop down boxes on the form were not being populated – preventing it from being submitted:
I spent quite some time investigating the cause of this error, including checking the certificate chain that the client was using:
Of course if the certificate or the chain was bad then SSL wouldn’t be being used – which it clearly was.
Eventually I identified the cause of the problem. The Active X was being prevented from being run properly because of IE security. This is probably a good thing on a Server operating system, but the error mesage being presented in this case was very misleading.
The way to fix this is to add the web site to the trusted sites list in Internet Explorer:
- Select Internet Options from the Internet Explorer Settings menu:
- Select the Security tab and click Trusted Sites:
- Click the Sites button.
- Enter the https URL of the Certificate Web Enrollment site and click Add:
- Click Close.
The web site can now be refreshed and should work correctly at last:
Hopefully this helps someone out there avoid this annoying problem.