Microsoft KB Archive/300860

= Enrollment Does Not Succeed on Windows XP When Requesting a Certificate by Using a DSS CSP =

Article ID: 300860

Article Last Modified on 10/11/2002

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows XP Professional

-



This article was previously published under Q300860





SYMPTOMS
Attempting to request a certificate on a Windows XP-based client from a Windows 2000-based Certification Authority Web page generates an &quot;Error on page&quot; error message. This error occurs if the following conditions exist:  You are using any of the following certificate templates on the Windows XP-based client:  Administrator User Basic EFS EFS Recovery Agent

 You request the certificate in conjunction with one of the following Cryptographic Service Providers (CSPs):  Microsoft Base DSS Cryptographic Provider</li> Microsoft Base DSS and Diffie-Hellman Cryptographic Provider</li> Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider</li></ul> </li></ul>

If you click Details in the dialog box in Microsoft Internet Explorer, you see the following information:

Line: 1125

Char: 4

Error: Signing certificate cannot include SMIME Extension.

Code: 0

URL: http:// /certsrv/certrqma.asp

The Web page may appear to stop responding (hang) when &quot;Generating Request&quot; is displayed if Internet Explorer is configured not to display errors on pages. You can view this error message by double-clicking the exclamation point in the lower-left corner of the Internet Explorer window.

<div class="cause_section">

CAUSE
The error message occurs because the Web page is attempting to form a request for a certificate that includes Secure Multi-Purpose Internet Messaging Extensions (S/MIME) capabilities. The capability for key encipherment that is required by S/MIME is not present in a Digital Signature Standards (DSS) CSP's design.

<div class="resolution_section">

RESOLUTION
You can safely ignore this error message. The submission of valid requests to the Certification Authority's Web page is not affected.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

<div class="moreinformation_section">

MORE INFORMATION
Each of the user templates that is listed earlier in this article specifies the key usage, including the digital signature and key encipherment. The DSS CSPs provide certificates that can be used only for digital signatures, and therefore cannot address the Key Encipherment requirement that is specified by S/MIME.

The functionality of digital signatures and key encipherment is most commonly used in e-mail messages that contain S/MIME. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

246539 Enrolling for DSS Certificates

Additional query words: Line: 1151 NTE_FAIL PKI S/MIME SMIME Public Key Usage

Keywords: kbenv kbprb KB300860

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.