Red Hat Bugzilla – Bug 509998
attempt to import user certificate in IE on vista fails with error.
Last modified: 2015-01-04 18:39:22 EST
Description of problem:
Attempt to import user certificate in IE on vista fails with error..
-when I access the secure end entity page, I get a vb-script pop-up
"Can't create CSP List Object! Error:438:Object doesn't support this property or method
and then asks me to install an ActiveX control
I did the below bunch of changes in the browser
- then I turned off the pop-up blocker
- I lowered the security level for this zone under "Security" tab to Low(so that all active content can run)
- In the security settings under "Activex controls and plug-ins", I enabled scriptlets, and "Allow previously unused Activex controls to run without prompt" , enabled to "download unsigned activex controls"
(1)Base Cryptographic Provider v1.0(2048) - OK
-Importing the certificate into IE7 fails with the below error :(despite lowered security controls and allowing pop-ups) I tried to
Error in IntallResponse. Error Number 800B0109 occurred.CertEnroll::CX509Enrollment::p_InstallResponse:A Certificate
chain processed, but terminated in a root certificate which is not trusted by the trust provider.0x800b0109(-2146762487)
*NOTE* :The import of user certificate was successful with only when I manually installed base64 cert of CA root cert.
(2)Base Cryptographic Provider v1.0(2048) -Not OK(just the same as XP)
Error Creating Request! Error: -2146893815
:CertEnroll::CX509Enrollment::p_CreateRequest:Invalid flags specified. 0x80090009(-2146893815)
this should be an urgent bug... raising to urgent for investigation
In order to even enroll a certificate properly, we have to import and trust the CA's certificate. If this is done, I'm sure this problem does not happen.
Chandra and I kicked this around. The CA's EE UI provides a fairly easy way to import and trust the CA's cert chain. This should make the main thrust of this issue go away. The end of the report mentions some funny behavior when picking a key size too big for the selected provider. I believe we have another bug open for that issue with Andrew. We could pursue that there.
Therefore close this for now, but we can bring it back if we decide to later.
okay, I realized a mistake I was making
Instead of doing a "Import CA certificate chain" , I navigated to List Certificates -> then pointed to 0x1 (CA cert) -> Import into browser
-From the EE "Retrieval" tab, if I select the "Import the CA chain", and choose to auto-select the certificate store to import it -> It'll import into "Intermediate Certificate Authorities" instead of "Trusted Root Certificate Authorities" citing self-signed as reason. (on XP if we auto-select, CA cert is installed in "Trusted Root Certificate Authorities" )
-Of course, on vista, if we select the "Place all certificates in the following store" and point to "Trusted Root Certificate Authorities" - the root CA installs fine there.