000013880 - How do you enroll for an RCM Administrator/Vettor certificate using a SID800 with MS Vista?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000013880
Applies ToRSA Certificate Manager 6.8
Microsoft Windows Vista
RSA Smart Card Middleware
RSA SID 800 Authenticator
RSA SecurID 800 Authenticator
Microsoft Internet Explorer 7.0
IssueHow do you enroll for an RCM Administrator/Vettor certificate using a SID800 with MS Vista?
issues with enrolling for an RCM Administrator/Vettor certificate in Vista using Sid800
After clicking submit on the admin enrollment page "<INSTALL-DIR>/WebServer/enroll-server/request-msie-admin.xuda ", the page did not change.
errors in the middleware logs:

2008-12-17 22:06:41.469 1056.1280 [E] HRESULT error encountered: 0x80100030
CauseWith IE 7 on MS Vista, if a certificates if going to be created on a smartcard,
Microsoft wants the non-export key flag enabled for the certificate/key.
To install a RCM Administrator/Vettor certificate on to SID800 using IE 7 on MS Vista, follow these steps:

1.       Install the middleware in Vista

2.       Resign Admin CA cert to have basic constraints

a.       Sign from another CA that allows Basic PKIX-Compliant CA profile:

                                                               i.      Ensure that the CA that you sign from allows another subordinate CA = verify the Path Length Constraint of signing CA first, otherwise Admin cert verification will fail.

                                                             ii.      Set path length constraint to 0 for new Admin CA cert.

b.      Restart sdir.

c.       Re-sign, using self (Admin CA) and keep existing extensions.

d.      Restart sdir

3.       Trust System CA so the enrollment website is trusted

4.       Add the enrollment website to the Trusted Sites in IE

a.       Allow Unsigned ActiveX and Scripts to run for Trusted Sites ? Set to Prompt

5.       Update Admin enrollment xuda file with new version (RCM 6.8 build 516 or higher)

6.       Uncomment appropriate lines in enrollment new xuda page 

Enroll for Admin cert using SID 800, you will receive many prompts related to running scripts and activex controls due to the trusted sites settings.

a.       Select 1024

b.      Select Smart Card provider

c.       Select protect private key = yes

d.      Enter SID 800 PIN

e.      Wait for about a minute

8.       Approve Cert

9.       Visit cert download link

10.   Click Install Root CA cert (Unless you have already trusted the Admin CA), need to manually select trusted root CAs as storage container.


NotesOther references

Solution How to successfully enroll for a certificate with IE7 on Microsoft Vista

BZ 117807
Legacy Article IDa44414