Jul 14 2020 03:55 AM
Jul 14 2020 03:55 AM
I am trying to request advanced certificate from certification authority via Edge Chromium (version 83.0.478.58). The CA supports only http connection. I am connecting to CA in IE mode. The CA is in the Intranet zone. When I clicked on the link "Create and submit a request to this CA" the information "The Web site is attempting to perform a digital certificate operation on your behalf...." was not displayed and on the page with Advanced Certificate Request the CSP field did not display providers there was only Loading message. In IE on the same computers everything works fine. Could you please give me some advice how to solve this issue in Edge Chromium?
Jul 15 2020 03:27 AM
Jul 15 2020 06:04 AM
@HotCakeX thank you for response.
In normal Edge mode when I clicked on advanced certificate request I was directly redirected to "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. " page.
The page where I have option to select "Create and submit a request to this CA. " or "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file. " was not displayed.
Sep 28 2020 04:09 AM
I think this is technological limitation of Edge Chromium, it doesnt support needed technology (ActiveX).
The Web Enrollment role hasn't goten virtually any update since WS 2008 , seems development of it is pretty abandoned. Just keep some IE's.
Sep 30 2020 05:20 AM
Thank you for response. We are trying to simplify environment as much as possible but it seems that vision to have only one web browser is not realistic.
Oct 05 2020 12:49 AM
@VjekoV I got little more information from MS.
Indeed - the webpage hasnt gotten any recent updates to make it compatible with Edge. Currently IE engine is present on all supported MS Windows OS'es , and remains there until lifecycle ends. So "easy" solution is to remeber to open certificate enrollment page always with IE. If You need more Enterprise solution - You should investigate Edge IE Enterprise mode ( which allows automatic redirection/opening of listed sites in IE) - https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie...
Oct 06 2021 10:52 AM
I do realize this is an old post, but here we are 2021 October and now Windows 11 doesn't include IE at all. Haven't had a chance to try Server 2021 to see if its pki finally fixed this problem? Seems like a MASSIVE miss if it doesn't fix the problem.
Mar 01 2022 07:27 AM
Mar 01 2022 08:45 AM
@J 1901 Commercial (at least standard solution) is no option for company using PKI heavily in infra ( for example automatically enrolling and renewing user/device certificates , 802.1X authentication, etc) . And this part is working well. If Your company size is thousands of endpoints it should be handled automatically ( GPO, certificate templates does great job here) BUT some part is stuck in history which makes entire MS PKI solution not modern :( .
May 11 2022 09:32 AM
Jul 15 2022 12:09 PM
@Keith_D I wish you were wrong and a solution would have been published. However, I too am in this same situation where I have a major dependence upon the MS internal CA and would really like to have an easy way for us to continue using this service. A replacement has been avoided due to the institutional impact and complicated change management. If there is any update on this I would really appreciate a follow-up post.
Jul 16 2022 06:57 AM
Jul 20 2022 04:46 PM
@saraalex - I'm afraid you're having a very different and unrelated problem with your website. The problem being discussed in this thread isn't related to trouble with websites on the internet not working correctly in the Edge browser, so you'll need to seek help with that on another post or forum related to whatever the problem is that you're having with Edge on your website. You might be better off seeking help for that kind of issue on one of the website developer help forums, as the users on those sites will have a lot more experience in that area.
I can tell you that the certificate for your website was issued by Cloudflare on July 10th, and there are no problems with your website certificate according to the certificate checkers at sslshopper.com, digicert.com, thesslstore.com, or Qualys' ssllabs.com, and Cloudflare doesn't use the Windows Certificate Authority for issuing those certificates. If you were having the problem we're discussing here, you wouldn't have a certificate on your website because you wouldn't be able to get one in the first place because of this issue.
What we're talking about here is a problem with the Microsoft Windows Certificate Authority product that's built into Windows Server, which still requires using Microsoft Internet Explorer for some of its functionality despite Microsoft having retired Internet Explorer and no longer shipping it with any of the latest versions of Windows. Their current certificate authority product is not compatible with any currently supported web browser available in their latest operating systems despite that product still being shipped in their latest operating systems with that requirement. It's a catch-22 for Windows server and network administrators who use the Windows Certificate Authority product.
I hope that helps.
Aug 03 2022 12:15 AM
It's crazy that a core Microsoft security-related application still has an ActiveX dependency in 2022
Aug 03 2022 05:36 PM
@NickF101 It's not actually an ActiveX dependency - you can disable ActiveX completely in IE and this will still work. It's the authentication mechanism used by the Certificate Authority's webpage. Edge doesn't support that authentication mechanism and neither does any other browser but Internet Explorer.
The setting in Internet Explorer is in Internet Options -> Security -> Custom Level... -> User Authentication -> Logon (scroll to the very bottom of the list). It requires one of the options that allows you to authenticate through the web browser to the server so it can perform the CA operations under your AD credentials. This is not supported in anything but Internet Explorer to my knowledge, and I haven't ever found any documentation from Microsoft on how to replicate this functionality in any other way for the Certificate Authority's web interface.