Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Tuesday, May 8, 2012 3:17 PM
Hi,
Platform: Windows Server 2008 R2 Enterprise
I have the requirement to enroll Certificates for Users via Web Enrollment. Additional Requirement is the support for other Browsers then IE. The basic functionality of a standalone CA Web enrollment is in fact enough – just Enroll “Web Browser Certificate”, but the CA is Enterprise CA.
For standalone CA I have at least support for Mozilla and Chrome (Safari does still not work) after
certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT
For Enterprise CA the situation is different. http://webenroll.domain.top/certsrv/certrqma.asp is loading partially, but cannot determine CSP's.
Any solution known?
Thomas
Friday, May 11, 2012 8:01 AM ✅Answered
HI,
Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll, so please make sure all Non IE browsers support it.
Best regards, Jason Mei Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Thursday, May 10, 2012 8:55 AM
Hello,
Thank you for your post.
This is a quick note to let you know that we are performing research on this issue.
Best Regards
Elytis Cheng
Elytis Cheng
TechNet Community Support
Thursday, May 10, 2012 6:47 PM
Hello,
Thank you, did additional testing for different browsers to Standalone-CA / Enterprise-CA
Standalone CA (does use certrqbi.asp)
- IE – Fine, works as intended an does Provide basic selection for CSP and key length as additional options, request is handled by CA, Certificate installable
- Firefox, Chrome, works (as intended), does only offer dropdown for key length, not CSP selection, request is handled by CA, Certificate is installable, does require “certutil -setreg …” as described above
- Safari, does not work, no values in dropdown for key length, cannot submit form
- Opera not tested for now
Enterprise CA (does use certrqma.asp)
Does only work for IE, for any other browser I testes the certrqma.asp does try to enlist CSP’s on client side via ActiveX and fails, form cannot submit.
certrqbi.asp additionals: This ASP is by design default for a Standalone CA, but you can also call it on Enterprise CA. When executed on Enterprise CA different code segments are used. All interactive form elements for reques specification are removed and certrqbi.asp does make a fallback to a standard user certificate with certificate template "User".
Best regards,
Thomas
Thursday, May 10, 2012 7:04 PM | 1 vote
Thomas, I delivered a session at the Nordic Infrastructure Conference that includes a section on how to customize the /CertSrv Web site to add additional certificates for enrollment from non-Windows clients.
Brian
Thursday, March 12, 2015 9:53 AM
Hi, is it possible to run Chrome/Safari/Opera on mobile devices (Android/iOS) to enroll from a Microsoft CA ?
Thanks, Magnus
Magnus
Thursday, March 12, 2015 2:25 PM
For the full functionality, the answer remains the same. Chrome/Safari/Opera do not support ActiveX controls, so the requests will fail. It is possible to modify the pages, so that a simple certificate could be enrolled, but you have to make several modifications. See https://vimeo.com/35061729 where I describe how at the 2012 NIC conference.
Brian
P.S. Next time, please start a new thread rather than resurrecting a 3 year old thread
Monday, March 2, 2020 7:42 PM
Hi Brian & Everybody! As of 2020, is this still the same? I mean, no support for any other browser than IE w/Enterprise CA? It seems that the 2012 NIC video is no longer online :(
Thanks for your help!
Thursday, May 14, 2020 2:57 PM
No. Nothing changed. You can add openssl.js to web enrollment pages and use it to request, receive and save cert on client