4.2. Configuring Internet Explorer to Enroll Certificates

Because of the security settings in Microsoft Windows, requesting and enrolling certificates through the end entities pages using Internet Explorer requires additional browser configuration. The browser has to be configured to trust the CA before it can access the CA's end-entities pages.

4.2.1. About Key Limits and Internet Explorer

Microsoft uses certain cryptographic providers which support only a subset of potential key sizes for RSA and for ECC keys. These are listed in Table 4.1, “Providers and Key Sizes”.
The key size support can impact the configuration of profiles that will be used with Internet Explorer. Configuring profiles is covered in Chapter 2, Making Rules for Issuing Certificates (Certificate Profiles).

Table 4.1. Providers and Key Sizes

Algorithm Provider Supported Key Sizes
ECC Microsoft Software Key Storage Provider
  • nistp256
  • nistp384
  • nistp521
ECC Microsoft Smart Card Key Storage Provider
  • nistp256
  • nistp384
  • nistp521
RSA Microsoft Base Cryptographic Provider
  • 1024
RSA Microsoft Strong Cryptographic Provider
  • 1024
  • 2048
  • 3072
  • 4096
  • 8192
RSA Enhanced Cryptographic Provider
  • 1024
  • 2048
  • 3072
  • 4096
  • 8192
RSA Microsoft Software Key Storage Provider
  • 1024
  • 2048
  • 3072
  • 4096
  • 8192

4.2.2. Configuring Internet Explorer

  1. Open Internet Explorer.
  2. Open ToolsInternet OptionsAdvancedSecurity, and unselect TLS 1.2.
  3. Import the CA certificate chain.
    1. Open the unsecured end services page for the CA, for example:
      http://server.example.com:8080/ca/ee/ca
    2. Click the Retrieval tab.
    3. Click Import CA Certificate Chain in the left menu, and then select Download the CA certificate chain in binary form.
    4. When prompted, save the CA certificate chain file.
    5. In the Internet Explorer menu, click Tools, and select Internet Options.
    6. Open the Content tab, and click the Certificates button.
    7. Click the Import button. In the import window, browse for and select the imported certificate chain.
      The import process prompts for which certificate store to use for the CA certificate chain. Select Automatically select the certificate store based on the type of certificate.
    8. Once the certificate chain is imported, open the Trusted Root Certificate Authorities tab to verify that the certificate chain was successfully imported.
  4. Configure Internet Explorer to prompt to allow unsafe ActiveX controls to be used for scripting. If this is not allowed and an end entity attempts to enroll a certificate in the standard (non-SSL) end-entites pages, Internet Explorer will block these pages.
    1. In the Internet Explorer menu, click Tools and select Internet Options.
    2. Open the Security tab and click Custom Level.
    3. In the ActiveX Controls and Plugins area, change the value of the Initialize and script ActiveX controls not marked as safe setting to Prompt.
  5. After the certificate chain is imported, Internet Explorer can access the secure end services pages. Open the secure site, for example:
    https://server.example.com:8443/ca/ee/ca
  6. There is probably a security exception when opening the end services pages. Add the CA services site to Internet Explorer's Trusted Sites list.
    1. In the Internet Explorer menu, click Tools, and select Internet Options.
    2. Open the Security tab and click Sites to add the CA site to the trusted list.
    3. Set the Security level for this zone slider for the CA services page to Medium-High; if this security setting is too restrictive in the future, then try resetting it to Medium.
  7. Open the ToolsCompatibility View and Compatibility View Settings, and enable the Compatibility View setting by adding the specific site to the list.
  8. Close the browser.
To verify that Internet Explorer can be used for enrollments, try enrolling a user certificate as described in Section 4.3.1, “Requesting and Receiving a User or Agent Certificate through the End-Entities Page”.