1.8. Configuring Internet Explorer to Enroll Certificates

Because of the security settings in Microsoft Windows Vista, requesting and enrolling certificates through the end entities pages using Internet Explorer 7 and 8 requires extra browser configuration. The browser has to be configured to trust the CA before it can access the CA's secure end entities pages.

NOTE

This configuration is not necessary to use Internet Explorer 7 and 8 on Microsoft Windows 2000, 2003, or XP.
  1. Open Internet Explorer.
  2. Import the CA certificate chain.
    1. Open the unsecure end services page for the CA.
      http://server.example.com:9180/ca/ee/ca
    2. Click the Retrieval tab.
    3. Click Import CA Certificate Chain in the left menu, and then select Download the CA certificate chain in binary form.
    4. When prompted, save the CA certificate chain file.
    5. In the Internet Explorer menu, click Tools, and select Internet Options.
    6. Open the Content tab, and click the Certificates button.
    7. Click the Import button. In the import window, browse for and select the imported certificate chain.
      The import process prompts for which certificate store to use for the CA certificate chain. Select Automatically select the certificate store based on the type of certificate.
    8. Once the certificate chain is imported, open the Trusted Root Certificate Authorities tab to verify that the certificate chain was successfully imported.
  3. After the certificate chain is imported, Internet Explorer can access the secure end services pages. Open the secure site.
    https://server.example.com:9444/ca/ee/ca
  4. There is probably a security exception when opening the end services pages. Add the CA services site to Internet Explorer's Trusted Sites list.
    1. In the Internet Explorer menu, click Tools, and select Internet Options.
    2. Open the Security tab, and click Sites to add the CA site to the trusted list.
    3. Set the Security level for this zone slider for the CA services page to Medium; if this security setting is too restrictive in the future, then try resetting it to Medium-low.
  5. Close the browser.
To verify that Internet Explorer can be used for enrollments, try enrolling a user certificate:
  1. Open the Certificate Manager's end-entities page.
    https://server.example.com:9444/ca/ee/ca
  2. Select the Manual User Dual-Use Certificate Enrollment form.
  3. Fill in the user information, and click Submit.
  4. If the request is successfully submitted, the CA will return a request number for the request with a message that it was successfully submitted to the CA and awaiting approval.