This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 16%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
We are using a Windows Server 2012 R2 as Windows CA for our Windows 10 environment.
Certificates are getting automatically enrolled through GPO which is great, unless you get Mac devices in your environment.
To get them the required User and Machine certificate we have installed the WebEnrollment environment but we have some problems.
First when you browse to the website with Safari, Chrome or Firefox you get a certificate error, that certificate is not valid.
We thought let's download the CA certificate first through the website and trust it on the Mac device but the certificate error is still there.
So we tried to visit it from a Windows machine and yes also there we get the error that the certificate is not valid. Which certificate you need to bind in IIS?
Second the user can only select the standard User Certificate from the web portal and not our custom User and Machine certificate. How can we change this?
Third when the user click on the standard User Certificate, he/she can't choose the key strength and when you click submit you get this error:
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
Request Mode:
newreq NN - New Request (keygen)
Disposition:
(never set)
Disposition message:
(none)
Result:
Invalid pointer 0x80004003 (-2147467261 E_POINTER)
COM Error Info:
CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER)
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
No suggestions.
Who can help me out?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @Stijn ,
Good day!
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!
Best Regards,
Daisy Zhou
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 50%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJU%3C/text%3E%3C/svg%3E)
Is this problem resolved? I have the same issue Windows Server 2022 EN.
AD CS installed with WEB Enrollment role, IIS on the same server. Connection is not secure.
The same screens as Stijn.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 6%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDL%3C/text%3E%3C/svg%3E)
I am running into the same exact problem, Windows 2016 server.
Did anyone resolve this problem?
Hello @Stijn ,
Thank you for posting here.
Here are the answers for your references.
Q1: So we tried to visit it from a Windows machine and yes also there we get the error that the certificate is not valid. Which certificate you need to bind in IIS?
A1: We can check whether this certificate is valid or not.
For example:
1.Who is this certificate issued to?
2.When will the certificate expire? When will the root certificate expire?
3.What certificate template was used to issue this certificate?
4.Is the status of the certificate normal?
5.Verify the certificate by running the command: certutil -verify "the full path of certificate file"
Q2: Second the user can only select the standard User Certificate from the web portal and not our custom User and Machine certificate. How can we change this?
A2: Check the permissions on custom certificates and ensure issued these certificate templates.
Q3: Third when the user click on the standard User Certificate, he/she can't choose the key strength and when you click submit you get this error:
Your request failed. An error occurred while the server was processing your request.
Contact your administrator for further assistance.
A3:
1.What do we mean "key strength"? Do you mean "Key Size"?
2.Can we select the CSP on the screenshot above?
3.Whether all the users encountered the same issue on all the domain joined machines?
Best Regards,
Daisy Zhou
Hello @Daisy Zhou
Thanks for the help and information. In IIS the Root CA certificate itself was binded with the https website.
So I created a duplicate from the standard webserver certificate and set following options
I binded this certificate to IIS but when I visit the certsrv website I still get the certificate invalid error
When I want to reguest a certificate I only can select User Certificate and when I click advanced request, I get other options then you have
When I select the User Certificate there is no key strength defined
When I click submit
Hello @Stijn ,
Best Regards,
Daisy Zhou
Hello @Daisy Zhou
The FQDN is DMBEHQ0020.domain.local.
Yes I have set the permission but the certificates does not show up in the web page.
Hello,
Best Regards,
Daisy Zhou
Hello,
Please check if we logon this machine and open MMC.exe to request certificate using this certificate template (Copy 2 of Web Server), can you see this (Copy 2 of Web Server)?
Best Regards,
Daisy Zhou