Bug 509998 - attempt to import user certificate in IE on vista fails with error.
Summary: attempt to import user certificate in IE on vista fails with error.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: CA
Version: unspecified
Hardware: All
OS: Linux
urgent
medium
Target Milestone: ---
Assignee: Jack Magne
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2009-07-07 10:53 UTC by Kashyap Chamarthy
Modified: 2015-01-04 23:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-07-07 22:57:41 UTC
Embargoed:

Attachments (Terms of Use)

Description Kashyap Chamarthy 2009-07-07 10:53:02 UTC 
Description of problem:

Attempt to import user certificate in IE on vista fails with error..

On IE7:

-when I access the secure end entity page, I get a vb-script pop-up
  "Can't create CSP List Object! Error:438:Object doesn't support this property or method
and then asks me to install an ActiveX control

I did the below bunch of changes in the browser
- then I turned off the pop-up blocker
- I lowered the security level for this zone under "Security" tab to Low(so that all active content can run)
- In the security settings under "Activex controls and plug-ins", I enabled scriptlets, and "Allow previously unused Activex controls to run without prompt" , enabled to "download unsigned activex controls"

Test:

(1)Base Cryptographic Provider v1.0(2048) - OK

-Importing the certificate  into IE7 fails with the below error :(despite lowered security controls and allowing pop-ups) I tried to 

Error in IntallResponse. Error Number 800B0109 occurred.CertEnroll::CX509Enrollment::p_InstallResponse:A Certificate
chain processed, but terminated in a root certificate which is not trusted by the trust provider.0x800b0109(-2146762487)

*NOTE* :The import of user certificate was successful with only when I manually installed base64 cert of CA root cert.

==============================================
(2)Base Cryptographic Provider v1.0(2048) -Not OK(just the same as XP)
Error Creating Request! Error: -2146893815
:CertEnroll::CX509Enrollment::p_CreateRequest:Invalid flags specified. 0x80090009(-2146893815)
Comment 1 Chandrasekar Kannan 2009-07-07 21:59:03 UTC 
this should be an urgent bug... raising to urgent for investigation
Comment 2 Jack Magne 2009-07-07 22:32:59 UTC 
In order to even enroll a certificate properly, we have to import and trust the CA's certificate. If this is done, I'm sure this problem does not happen.
Comment 3 Jack Magne 2009-07-07 22:57:41 UTC 
Chandra and I kicked this around. The CA's EE UI provides a fairly easy way to import and trust the CA's cert chain. This should make the main thrust of this issue go away. The end of the report mentions some funny behavior when picking a key size too big for the selected provider. I believe we have another bug open for that issue with Andrew. We could pursue that there.

Therefore close this for now, but we can bring it back if we decide to later.
Comment 4 Kashyap Chamarthy 2009-07-08 11:30:20 UTC 
okay, I realized a mistake I was making
Instead of doing a "Import CA certificate chain" , I navigated to List Certificates -> then pointed to 0x1 (CA cert) -> Import into browser

-From the EE "Retrieval" tab, if I select the "Import the CA chain", and choose to auto-select the certificate store to import it -> It'll import into "Intermediate Certificate Authorities" instead of "Trusted Root Certificate Authorities" citing self-signed as reason. (on XP if we auto-select, CA cert is installed in "Trusted Root Certificate Authorities" )

-Of course, on vista, if we select the "Place all certificates in the following store" and point to "Trusted Root Certificate Authorities" - the root CA installs fine there.
Note You need to log in before you can comment on or make changes to this bug.