000024429 - Unable to install newly issued not-yet-valid certificate on MSIE 7.0 for Microsoft Vista

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024429
Applies ToRSA Certificate Manager
RSA Registration Manager
RSA Certificate Manager OneStep
Microsoft Windows Internet Explorer 7.0
Microsoft Windows Vista
Microsoft Windows Internet Explorer (MSIE) 7.0 on Microsoft Windows Vista has been qualified for digital certificate enrollment with RSA Certificate Manager, Registration Manager, and OneStep.
IssueUnable to install newly issued not-yet-valid certificate on MSIE 7.0 for Microsoft Vista
MSIE 7.0 on Microsoft Windows Vista does not allow installation of newly issued certificates that are not yet valid.  This can happen when (1) certificates are generated immediately after, or soon after, submitting a request to RSA Certificate Manager (possibly through any of the available mechanisms to automatically generate certificates, such as OneStep or auto-vetting templates), and (2) the system time on Microsoft Vista is a few minutes or even a few seconds behind the RSA Certificate Manager system time.
0x800b0101 (-2146762495)
CauseMicrosoft has corrected Vista behavior in a hotfix KB945121 (see Microsoft article KB945121 at http://support.microsoft.com/kb/945121) to allow installation of certificates on MSIE when the validity date or time starts in the future.  The hotfix, however, requires that the call to InstallResponse method (belonging to CertEnroll interface on Vista) must use AllowUntrustedRoot (a value of 0x4) flag.  The hotfix KB945121 also corrected another issue with InstallResponse method where in any InstallResponseRestrictionFlags values other than AllowNone (a value of 0x0) failed on Vista; and for this reason, RSA Certificate Manager used flag AllowNone (0x0) with calls to InstallResponse method.
ResolutionThis issue has been fixed in RCM 6.7 build 422 and later versions.
To allow installation of newly issued certificates on Vista when system time on Vista might be behind the RSA Certificate Manager system time, apply Microsoft recommended fix (either hotfix KB945121 http://support.microsoft.com/kb/945121 or a more recent fix or service pack) on Vista, AND update all calls to InstallResponse method in RSA Certificate Manager, RSA Registration Manager, and/or RSA OneStep enrollment pages to use AllowUntrustedRoot flag.

For example, take the following steps to fix the issue on RSA Certificate Manager for standard certificate enrollment and installation:

1. Inform your Vista users (perhaps on the enrollment page) to ensure that they have applied Microsoft recommended fix KB945121 (or a more recent fix or service pack for Vista that resolves the bug with InstallMethod) prior to making a certificate request and that otherwise they would not be able to install new certificates.

2. Update all InstallResponse(0, ...) calls to InstallResponse(4, ...) in RSA Certificate Manager enrollment pages. There are two places in <RCM-install-dir>\WebServer\enroll-server\icontrol.vbs file where InstallResponse is being called.

Note that using the flag AllowUntrustedRoot (value 0x4) in InstallResponse method also allows installation of new certificates without first trusting the root CA (which is expected when using the flag AllowUntrustedRoot), though the root CA is installed under 'Intermediate Certification Authorities' store rather than 'Trusted Root Certification Authorities'.

RSA has reviewed the changes and fixes made by Microsoft in CertEnroll interface for Vista and included a fix in RSA Certificate Manager, RSA Registration Manager, and RSA OneStep 6.7 build 422 and later versions.
NotesFor more details on InstallResponse method of CertEnroll interface on Vista, see http://msdn2.microsoft.com/en-us/library/aa378051(VS.85).aspx.
CERTMGR-3312
Legacy Article IDa38706

Attachments

    Outcomes