Following on from Enterprise CA Certificate request error where I've installed a new SHA2 CA on Windows 2012 R2 along with CA Web Enrollment, I'm now able to request certificates from an external browser and issue these successfully from the CA console, however, when I go back to check the status of a pending certificate request and attempt to install this it redirects to http://CertificateAuthority/certsrv/certnew.cer?ReqID=CACert&Renewal=0&Mode=inst&Enc=b64 displaying an HTTP 500 Internal Server Error page.
I've modified web.config of the CertSrv site to change the error mode to "detailed" but simply displays the above page. In the W3SVC1 log for this site I can see the following error:
Software: Microsoft Internet Information Services 8.5 Version: 1.0 Date: 2017-04-06 10:21:24 Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2017-04-06 10:21:24 83.231.185.99 GET /certsrv/certnew.cer ReqID=CACert&Renewal=0&Mode=inst&Enc=b64|5|ASP_0126|Include_file_not_found 443 - 172.21.51.241 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://CertificateAuthority/certsrv/certfnsh.asp 500 0 0 234
2017-04-06 10:24:12 83.231.185.99 POST /certsrv/certfnsh.asp - 443 - 172.21.51.241 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://CertificateAuthority/certsrv/certckpn.asp 200 0 0 124
2017-04-06 10:24:17 83.231.185.99 GET /certsrv/certnew.cer ReqID=CACert&Renewal=0&Mode=inst&Enc=b64|5|ASP_0126|Include_file_not_found 443 - 172.21.51.241 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://CertificateAuthority/certsrv/certfnsh.asp 500 0 0 15
I want to read from this that a file isn't found but this is where I need help.
When attempting to open the certnew.cer file in C:\Windows\System32\certsrv I'm shown the message:
Invalid Public Key Security Object File - This file is invalid for use as the following: Security Certificate.
However, I also don't appear to be able to open this on an existing working old CA where I'm not seeing this issue so get the feeling this is expected!?
Clicking on the install link from a browser on the CA server itself and other internal servers installs this fine so looks to be an external issue only by the looks of it.
Any ideas?
After spending all that time writing this question out I found out the issue....Doh!
For a reason I can't quite remember but know it was required in order to address an error I was seeing, I had to move all files from C:\Windows\System32\certsrv\en-US to C:\Windows\System32\certsrv but in doing so had to modify all .asp files to point to certdat.inc rather than ..\certdat.inc for obvious reasons. What I didn't realize was that the cer, p7b & crl files in this directory are not actually certificate files and in fact also editable containing this same ..\certdat.inc path as above. As soon as I changed this to certdat.inc I was able to install the certificates from the website.
The fact that I could successfully install this internally threw me a little as wouldn't expect to be able to do this considering the issue regardless of computer location (Internal/External) but obviously wasn't the case.
.....Always learning.