Error message when a user uses Internet Explorer 7 to open the certificate enrollment Web page

Consider the following scenario:

You try to enroll a certificate from a certificate enrollment Web page.
The certificate that you receive from the certification authority is an unsigned PKCS7 response.
The certificate chain for the new certificate cannot be built, or the chain validation fails.
To install the end entity certificate on a client computer, the certificate enrollment Web page uses the InstallResponse method of the IX509Enrollment interface of the CertEnroll COM object.

In this scenario, when you use Windows Internet Explorer 7 to open the certificate enrollment Web page and to install the end entity certificate on a Windows Vista-based client computer, the installation may fail. Additionally, you may receive one of the following error messages from the InstallResponse method of the IX509Enrollment interface:

Error Code: E_ACCESSDENIED 0x80070005L
Error Message: “General access denied error”
This error occurs if the certificate response is installed using a InstallResponseRestrictionFlags such as AllowUntrustedRoot other than AllowNone.

Error Code: CERT_E_CHAINING 0x800B010AL
Error Message: “A certificate chain could not be built to a trusted root authority”
This error occurs if the certificate chain response contains an end entity certificate but not the complete certificate chain to a root CA.

Error Code: CERT_E_UNTRUSTEDROOT 0x800B0109L
Error Message: “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider”
This error occurs if the certificate chain response is containing the leaf end entity certificate chaining to an untrusted root CA.



Hotfix information

A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Vista service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site: (

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site: (


There are no prerequisites for installing this hotfix.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Vista, x86-based versions
File name File version File size Date Time Platform
Update.mum Not applicable 1,805 17-Jan-2008 10:56 Not applicable
X86_c11b445761001999864b51e748b75060_31bf3856ad364e35_6.0.6000.20755_none_45c76b5c43cf83aa.manifest Not applicable 713 17-Jan-2008 10:56 Not applicable
X86_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.0.6000.20755_none_f20906edaac1f958.manifest Not applicable 554,102 17-Jan-2008 04:41 Not applicable
Certenroll.dll 6.0.6000.20755 1,105,408 17-Jan-2008 04:12 x86
Windows Vista, x64-based versions
File name File version File size Date Time Platform
Amd64_f375653d6c7abb5cb86eca9450616332_31bf3856ad364e35_6.0.6000.20755_none_4340e664ca197f58.manifest Not applicable 1,074 17-Jan-2008 10:56 Not applicable
Amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_6.0.6000.20755_none_4e27a271631f6a8e.manifest Not applicable 554,140 17-Jan-2008 04:59 Not applicable
Update.mum Not applicable 2,046 17-Jan-2008 10:56 Not applicable
Certenroll.dll 6.0.6000.20755 1,645,056 17-Jan-2008 04:33 x64



Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the “Applies to” section.


After you apply this hotfix, you can install the certificate that is issued by an untrusted certification authority from a certificate enrollment Web page that uses the AllowUntrustedRoot flag.

The certificate enrollment Web page must be modified to make sure that the AllowUntrustedRoot flag is used when the InstallResponse method is called as follows:

objEnroll.InstallResponse(4, EnrollResponse, 0, “”)


Clients that are running Windows Vista must have this hotfix applied when the AllowUntrustedRoot flag is passed. Otherwise, the enrollment process will fail.

This change does not apply to clients that are running earlier versions of Windows operating systems.

The value of the third parameter depends on whether the certificate response contains a Base64 header. The value of this parameter can be 0 or 1.

For more information about InstallResponseRestrictionFlags enumeration, visit the following Microsoft Web site: (

Windows Vista Business
Windows Vista Enterprise
Windows Vista Home Basic
Windows Vista Home Premium
Windows Vista Ultimate
Windows Vista Business 64-bit Edition
Windows Vista Enterprise 64-bit Edition
Windows Vista Home Basic 64-bit Edition
Windows Vista Home Premium 64-bit Edition
Windows Vista Ultimate 64-bit Edition


Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

To prove that you're not a bot, enter this code
Anti-Spam Image