Issue Owner: Brandon Elliott

Issue: There are a number of issues installing certificates by machines other than Windows VISTA.

Reason: Windows VISTA requires Windows Server 2008 Certification Authority [CA]. This CA is supposed to be backwards compatible, but -as of this post- is not. In an effort to release VISTA sooner, Microsoft went forward with the release even though Windows Server 2008 [Longhorn] is not yet supported or stable (See Microsoft KB Q922706).

Solution: Researching...

Note: We have the following notes from prior testing on this issue...
Keyset does not exist: certificate failure. WinXP cannot install from Longhorn. Vista works fine but only when IE is run as admin. The error code seen so far is: 0X80090016 - which translates to NTE_BAD_KEYSET
KB922706

Test Plan: Test on WinXP Pro and WinXP Home (or Media Center). Must test IE6, IE7, FF on both platforms.

Description: We have been unable to re-create this scenario on our machines. Therefore, we must test across various operating systems and browsers to identify the settings/setup that causes this issue.

First Test: Internet Explorer 7 on WinXP Media Center Edition (SP2)
IE Version: 7.0.5730.11 / Update Versions:0
Local Computer Permission: Administrator

Result: Success w/ warning

Details: The certificate request went through, I was able to issue it successfully, and it did install as expected. I was prompted with a warning that the thumbprint was unconfirmed for "achbusiness CA", but ignoring this error allowed the certificate to install properly.

Second Test: Firefox on WinXP Media Center Edition (SP2)
FF Version: 2.0.0.6 / Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
Local Computer Permission: Administrator

Result: Failed w/ error

Errors: The request subject name is invalid or too long. 0x80094001 (-2146877439)
*Error Constructing or Publishing Certificate Resubmitted by NET\User

Details: The certificate request went through. When viewing the details of this certificate in CA, the fields appear to be correct. However, viewing the certificate once failed shows the fields to be blank (although shown in View Attributes/Extensions).

Error Research: Found the following so far:

Enabling Netscape Browser Enrollment

The following configuration change must be made to a Windows Server 2003 CA to permit Netscape 6.2.2 and later browsers to perform enrollment through the Web enrollment pages.

To enable the parsing of request attributes for subject information, which is required for Netscape browser enrollment, use the following command:

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

The certification authority must be stopped and re-started for this change to take effect. If this is not enabled, Netscape clients will receive the following error in the event log when the enrollment fails: The request subject name is invalid or too long.

Status: Postponing further testing of this error -as it is not the primary issue, but may be related.

Third Test: Internet Explorer 7 on WinXP Media Center Edition (SP2)
IE Version: 7.0.5730.11 / Update Versions:0
Local Computer Permission: Guest

Result: Success w/ error

Details: The certificate request went through, I was able to issue it successfully, and it did install as expected. I was not prompted with a warning that the thumbprint was unconfirmed for "achbusiness CA", but that was probably because I already accepted that warning in the first test OR it was related to the error that I did receive. I got a blank error message that when clicking 'YES' would still successfully install the certificate.

Here is the error dialog I received:

Click to view attachment

Thoughts: It is possible that the only reason this install succeeded was because I already installed a certificate as administrator. I will need to either 1) delete all certs and try again first as guest OR 2) try an install from a clean build.

Update: One of the previous systems that was failing to install was a WinXP SP2 w/ IE6. After an upgrade to IE7, there were able to install the certificate successfully.

However, there are still three(3) other systems that we know of running IE7 that still are unable to install the certificate. I have left messages for one of them to call me back when she has time to go over her settings (so I can reproduce the error).

Update: Cust1 (Carol) is logged on as administrator and receives "Unable to install the certificate error: 0x80090016" when trying to install a certificate. However, downloading the certificate and installing does "seem to" work. However, she is having a new issue:

When the certificate requirement on the server is OFF, she can access https://hosted.achbusiness.com

With certificate required turned ON, she gets "Page Cannot be Displayed"

Status: I have come across the following information in regards to the original NTE_BAD_KEYSET issue


Cust1 has had their certificate for over a year -which was prior to a recent service pack 2 upgrade. Also, the CSP is set to 2048-bit (whereas I believe it was 1024-bit previously -need to confirm this). If so, this makes me think it might be that her machine is having issues with the new 2048-bit certificates. However, I see no place to "Require a specific key length", so I'm wondering if a mismatched key length between the public key (server) and the private key (cust1 computer) would make a difference here...

New Issue: With Certificate Required, Gets "Page Cannot be Displayed" AFTER Prompted for Certificate

Status: On-Hold

I believe that the reason for the "Page Cannot be Displayed" message AFTER a certificate is -supposedly- successfully installed is that the certificate is not correctly linked within IE. I do not feel this is limited to IE6 or IE7, but in some cases; it has been reported that an upgrade from IE6 to IE7 corrected the issue. However, we have been unable to reproduce the problem and definitively prove one way or another.

As a result, we will have to wait for a fix from Microsoft. In the meantime, the few users experiencing this issue can use Firefox as a work-around.