Enrollment Does Not Succeed on Windows XP When Requesting a Certificate by Using a DSS CSP (300860)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows XP Professional
This article was previously published under Q300860

SYMPTOMS

Attempting to request a certificate on a Windows XP-based client from a Windows 2000-based Certification Authority Web page generates an "Error on page" error message. This error occurs if the following conditions exist:
  • You are using any of the following certificate templates on the Windows XP-based client:
    • Administrator
    • User
    • Basic EFS
    • EFS Recovery Agent

  • You request the certificate in conjunction with one of the following Cryptographic Service Providers (CSPs):
    • Microsoft Base DSS Cryptographic Provider
    • Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
    • Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
If you click Details in the dialog box in Microsoft Internet Explorer, you see the following information:
Line: 1125
Char: 4
Error: Signing certificate cannot include SMIME Extension.
Code: 0
URL: http://Your_server_name/certsrv/certrqma.asp
The Web page may appear to stop responding (hang) when "Generating Request" is displayed if Internet Explorer is configured not to display errors on pages. You can view this error message by double-clicking the exclamation point in the lower-left corner of the Internet Explorer window.

CAUSE

The error message occurs because the Web page is attempting to form a request for a certificate that includes Secure Multi-Purpose Internet Messaging Extensions (S/MIME) capabilities. The capability for key encipherment that is required by S/MIME is not present in a Digital Signature Standards (DSS) CSP's design.

RESOLUTION

You can safely ignore this error message. The submission of valid requests to the Certification Authority's Web page is not affected.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

MORE INFORMATION

Each of the user templates that is listed earlier in this article specifies the key usage, including the digital signature and key encipherment. The DSS CSPs provide certificates that can be used only for digital signatures, and therefore cannot address the Key Encipherment requirement that is specified by S/MIME.

The functionality of digital signatures and key encipherment is most commonly used in e-mail messages that contain S/MIME. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

246539 Enrolling for DSS Certificates

Modification Type:MajorLast Reviewed:10/11/2002
Keywords:kbenv kbprb KB300860
©2002 Microsoft Corporation. All rights reserved.