5.3. Configuring Internet Explorer to Enroll Certificates
Warning
The following procedure is no longer supported and only kept for reference. This functionality has been deprecated from Internet Explorer 11, and Microsoft has ended support for IE 10.
Because of the security settings in Microsoft Windows, requesting and enrolling certificates through the end entities pages using Internet Explorer requires additional browser configuration. The browser has to be configured to trust the CA before it can access the CA's end-entities pages.
5.3.1. About Key Limits and Internet Explorer
Microsoft uses certain cryptographic providers which support only a subset of potential key sizes for RSA and for ECC keys. These are listed in Table 5.1, “Providers and Key Sizes”.
The key size support can impact the configuration of profiles that will be used with Internet Explorer. Configuring profiles is covered in Chapter 3, Making Rules for Issuing Certificates (Certificate Profiles).
| Algorithm | Provider | Supported Key Sizes |
|---|---|---|
| ECC | Microsoft Software Key Storage Provider |
|
| ECC | Microsoft Smart Card Key Storage Provider |
|
| RSA | Microsoft Base Cryptographic Provider |
|
| RSA | Microsoft Strong Cryptographic Provider |
|
| RSA | Enhanced Cryptographic Provider |
|
| RSA | Microsoft Software Key Storage Provider |
|
5.3.2. Configuring Internet Explorer
- Open Internet Explorer.
- Open
, and unselect TLS 1.2. - Import the CA certificate chain.
- Open the unsecured end services page for the CA, for example:
http://server.example.com:8080/ca/ee/ca
- Click the Retrieval tab.
- Click Import CA Certificate Chain in the left menu, and then select Download the CA certificate chain in binary form.
- When prompted, save the CA certificate chain file.
- In the Internet Explorer menu, click , and select .
- Open the Content tab, and click the Certificates button.
- Click the Import button. In the import window, browse for and select the imported certificate chain.The import process prompts for which certificate store to use for the CA certificate chain. Select Automatically select the certificate store based on the type of certificate.
- Once the certificate chain is imported, open the Trusted Root Certificate Authorities tab to verify that the certificate chain was successfully imported.
- Configure Internet Explorer to prompt to allow unsafe ActiveX controls to be used for scripting. If this is not allowed and an end entity attempts to enroll a certificate in the standard (non-SSL) end-entites pages, Internet Explorer will block these pages.
- In the Internet Explorer menu, click and select .
- Open the Security tab and click Custom Level.
- In the ActiveX Controls and Plugins area, change the value of the Initialize and script ActiveX controls not marked as safe setting to
Prompt.
- After the certificate chain is imported, Internet Explorer can access the secure end services pages. Open the secure site, for example:
https://server.example.com:8443/ca/ee/ca
- There is probably a security exception when opening the end services pages. Add the CA services site to Internet Explorer's Trusted Sites list.
- In the Internet Explorer menu, click , and select .
- Open the Security tab and click Sites to add the CA site to the trusted list.
- Set the Security level for this zone slider for the CA services page to Medium-High; if this security setting is too restrictive in the future, then try resetting it to Medium.
- Open the
, and enable the Compatibility View setting by adding the specific site to the list. - Close the browser.
To verify that Internet Explorer can be used for enrollments, try enrolling a user certificate as described in Section 5.4.1, “Requesting and Receiving a Certificate through the End-Entities Page”.
