Hi there, I just installed a new Win 2008 R2 x64 Enterprise server on which I installed both Domain Services and Certificates Services (I did this because I have a few ressources on my laptop on which I'm able to install only 2 virtual machines). When I browse to the certificate enrollment webpage in order to download the CA certificate, I get the following issue: I'm logged with the domain administrator user and when I click on "Download CA certificate", IE9 prompts me to save "certnew_cer?ReqID=CACert&Renewal=0&Enc=bin" but I cannot neither save the file nor download the CA certificate. Can you please help me? I need to download the CA or CA chain to a non-domain server. Many thanks by advance.

Hi there, my previous message seems to have been deleted? so I will explain again my problem. I just installed a new Win 2008 R2 x64 Enterprise server on which I installed both Domain Services and Certificates Services. When I browse to the certificate enrollment webpage in order to download the CA certificate, I get the following issue: I'm logged with the domain administrator user and when I click on "Download CA certificate", IE9 prompts me to save "certnew_cer?ReqID=CACert&Renewal=0&Enc=bin" but I cannot neither save the file nor download the CA certificate. I have the same issue from a domain and non-domain server. Can you please help me? Many thanks by advance.

Nobody can help? It would be very strange that I'm the only one who is encountering this issue...

Have you tried to use the Compatibility View in IE 9 to see if it resolves the issue? Also, I am curious to know what errors that you are getting when you do try to download or Save the certificate. Please, let us know. Just FYI, it is better if you can avoid loading AD CS on a domain controller, please refer to PKI Design Brief Overview for more information.

When you do try to download the certificate and think that you cannot, could you look into the folder %userprofile%\downloads to ensure that it was not downloaded anyways. If it was not, would you please elaborate on any error messages.

Hi, I tried to use Compatibility View but there isn't any change :-(. I installed both Domain et Certificate services on the same virtual machine because my laptop do not have enough ressources to install more than 2 VMs. But I guess these 2 roles can be installed on the same server. Here is the screenshot when I try to download the cert : http://images.imagehotel.net/?tq1iigcnas.jpg I found an other solution: extract the certificate chain from mmc snap-in, but it's not handy... FYI there isn't any error/warning in the eventviewer and there is nothing in %userprofile%\downloads. Thanks for your help!

Thanks, I have been having a separate conversation with Vadims Podans who alerted me to your post. He has also provided screen captures and scenarios. I am checking on this with our feature team and CSS team. I will get back to you with any resolutions. I can certainly tell you that what you and Vadims have shown are the same and it certainly does not seem to be expected. As for the combination of the roles in your situation, it is not a problem because you appear to be using it for testing, training, and experimentation. What we recommend that you should not do is deploy the two roles on the same computer in a production environment. Okay, so I get back to this thread with what I find out. Sorry about the trouble.

You're right it's only for testing purpose but my main goal is to test a third party software which needs a 2008 CA. With my previous workaround I can go further in my deployment but I would like to know what it is happening with this service (maybe this issue is hidding an other one). OK I will wait for your answer - thanks for taking the time to help.

The tester said that he encountered this issue and was able to overcome it by removing Internet Explorer Enhanced Security mode.

I have forwarded your issue to product team and got a response that this is due of enabled Ineternet Explorer Enhanced Security Configuration (IEESC). You need to disable this eature on a server where you want to use web enrollment pages. This is not necessary for client Windows OSs, because thay don't have IEESC and should work with web enrollment by default.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks a lot Kurt and Vadims, it works fine now! Have a nice day!