Advanced Certification Request in Edge Chromium

New Contributor

Hi,

I am trying to request advanced certificate from certification authority via Edge Chromium (version 83.0.478.58). The CA supports only http connection. I am connecting to CA in IE mode. The CA is in the Intranet zone. When I clicked on the link "Create and submit a request to this CA" the information "The Web site is attempting to perform a digital certificate operation on your behalf...." was not displayed and on the page with Advanced Certificate Request the CSP field did not display providers there was only Loading message. In IE on the same computers everything works fine.  Could you please give me some advice how to solve this issue in Edge Chromium? 

 

 

14 Replies
Hi,
I don't think the IE mode inside Edge supports the intranet sites settings. though you can request your certificate in the normal Edge mode, i.e without going through the IE mode.

@HotCakeX  thank you for response.

In normal Edge mode when I clicked on advanced certificate request I was directly redirected to "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. " page.

The page where I have option to select "Create and submit a request to this CA. " or  "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. " was not displayed.

 

@VjekoV 

I think this is technological limitation of Edge Chromium, it doesnt support needed technology (ActiveX).

The Web Enrollment role hasn't goten virtually any update since WS 2008 , seems development of it is pretty abandoned. Just keep some IE's.

https://docs.microsoft.com/en-us/troubleshoot/browsers/csp-shows-loading-for-certificate-request

 

@Andres Pae 

Thank you for response. We are trying to simplify environment as much as possible but it seems that vision to have only one web browser is not realistic.

@VjekoV  I got little more information from MS.

Indeed - the webpage hasnt gotten any recent updates to make it compatible with Edge. Currently IE engine is present on all supported MS Windows OS'es , and remains there until lifecycle ends. So "easy" solution is to remeber to open certificate enrollment page always with IE. If You need more Enterprise solution - You should investigate Edge IE  Enterprise mode ( which allows automatic redirection/opening of listed sites in IE) - https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie...

 

@Andres Pae 

I do realize this is an old post, but here we are 2021 October and now Windows 11 doesn't include IE at all. Haven't had a chance to try Server 2021 to see if its pki finally fixed this problem? Seems like a MASSIVE miss if it doesn't fix the problem.

I couldn't agree more, March 2022 now and Microsoft has dropped the ball on updating the ancient Certificate self service portal big time, they have not done anything with PKI since ripping it out of Exchange way back in the day, and digitial certs are mainstream now, I guess they just want us to go Commercial, think GoDaddy and DigiCert and the like

@J 1901 Commercial (at least standard solution)  is no option for company using PKI heavily in infra ( for example automatically enrolling and renewing user/device certificates , 802.1X authentication, etc) . And this part is working well. If Your company size is thousands of endpoints it should be handled automatically ( GPO, certificate templates does great job here) BUT some part is stuck in history which makes entire MS PKI solution not modern :( .  

Why is this still not addressed? Every time I perform a certificate operation, I'm reminded that support for IE is ending June 15, and Edge still doesn't perform this task. Is Microsoft asleep at the wheel on this? How are they retiring a security-critical dependency without replacing it? IE 11 was released in 2013 so they've had nearly TEN YEARS to solve this or to document whatever replacement they've implemented to those still dependent upon an expiring product. Please tell me that I'm the one being stupid and just missing the answer somehow?

@Keith_D I wish you were wrong and a solution would have been published.  However, I too am in this same situation where I have a major dependence upon the MS internal CA and would really like to have an easy way for us to continue using this service.  A replacement has been avoided due to the institutional impact and complicated change management.  If there is any update on this I would really appreciate a follow-up post.

i have same issue my website not open well in microsoft edge with ssl https://www.mp3juice.blue/ can you please take a look here what is issue

@saraalex - I'm afraid you're having a very different and unrelated problem with your website. The problem being discussed in this thread isn't related to trouble with websites on the internet not working correctly in the Edge browser, so you'll need to seek help with that on another post or forum related to whatever the problem is that you're having with Edge on your website. You might be better off seeking help for that kind of issue on one of the website developer help forums, as the users on those sites will have a lot more experience in that area.

 

I can tell you that the certificate for your website was issued by Cloudflare on July 10th, and there are no problems with your website certificate according to the certificate checkers at sslshopper.com, digicert.com, thesslstore.com, or Qualys' ssllabs.com, and Cloudflare doesn't use the Windows Certificate Authority for issuing those certificates. If you were having the problem we're discussing here, you wouldn't have a certificate on your website because you wouldn't be able to get one in the first place because of this issue.

 

What we're talking about here is a problem with the Microsoft Windows Certificate Authority product that's built into Windows Server, which still requires using Microsoft Internet Explorer for some of its functionality despite Microsoft having retired Internet Explorer and no longer shipping it with any of the latest versions of Windows. Their current certificate authority product is not compatible with any currently supported web browser available in their latest operating systems despite that product still being shipped in their latest operating systems with that requirement. It's a catch-22 for Windows server and network administrators who use the Windows Certificate Authority product.

I hope that helps.

It's crazy that a core Microsoft security-related application still has an ActiveX dependency in 2022

@NickF101 It's not actually an ActiveX dependency - you can disable ActiveX completely in IE and this will still work. It's the authentication mechanism used by the Certificate Authority's webpage. Edge doesn't support that authentication mechanism and neither does any other browser but Internet Explorer.

 

The setting in Internet Explorer is in Internet Options -> Security -> Custom Level... -> User Authentication -> Logon (scroll to the very bottom of the list). It requires one of the options that allows you to authenticate through the web browser to the server so it can perform the CA operations under your AD credentials. This is not supported in anything but Internet Explorer to my knowledge, and I haven't ever found any documentation from Microsoft on how to replicate this functionality in any other way for the Certificate Authority's web interface.