Windows 2008 introduces a couple of annoyances with the Certificate Web Enrollment form (/certsrv) that are worth mentioning, and pointing out the workarounds in case you need them. There is a third annoyance (also with a workaround), that is a somewhat more lengthy discussion and will be addressed on it’s own.
The first is the deprecation of the components we use for Web Enrollment. If we look at KB922706, we can see the details of what happened. This KB article is titled:
“The Windows Server 2003 Certificate Services Web enrollment functionality relies on an ActiveX control that is named Xenroll. This ActiveX control is available in Microsoft Windows 2000 and in later versions of Windows. However, Xenroll has been deprecated in Windows Vista and in Windows Server 2008”.
In short, the components are not present in Windows 2008 by default, but can be downloaded from this KB and implemented if you need them.
The second is the fact the SSL (HTTPS) is required in order to use the Certificate Web Enrollment form in Windows 2008. When you attempt to access the forum with HTTP://, you receive the following error at the top of your browser:
“Internet Explorer has blocked this site from using an ActiveX control in an unsafe manner. As a result, this page might not display correctly”
It’s true that SSL is more secure and definitely a best practice, but especially in lab testing and intranet environments, SSL may not be considered strictly necessary. You can work around this issue.
1. In IE Internet Options, Security Tab, make sure the Certificate Web Enrollment site is in the list of Trusted Sites.
2. With Trusted Sites highlighted, click the Customize Button.
3. In the Security Settings, set “Initialize and script ActiveX controls not marked as safe for scripting” to ENABLED, as shown in the image below.
As always, take care in choosing when it’s appropriate to lower your defenses in this area. But when the situations fits, these are some of the tools and methods at your avail to make your work easier.