SCOM Certificate Enrollment Issue

2013-03-29 Update
Pete Zerger has a good comment on this posting: It’s not required to lower the security for the entire zone in IE. Already in 2009(!) Pete blogged about this issue and how to solve it. His posting is to be found here. Thanks Pete for sharing. Comments like this make this blog even better. Awesome!

When the SCOM Certificate template is created as described in this posting of mine and you want to submit a certificate request on the CA website (http://localhost/certsrv) you might get two messages which frustrate the request:

1. In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication:
   
2. Internet Explorer blocked an ActiveX control, so this page might not display correctly:
   

How to solve this without using HTTPS authentication? Simply because sometimes companies don’t want the SSL hassle for their PKI which is only used on a small scale inside their IT environment and not for production with CRLs and the lot. Because in that case it’s highly recommended you use SSL in order to keep your PKI secure and locked down.

Workaround
In order to submit a certificate request which runs successfully without enabling SSL, you simply follow these four steps:

1. Start IE with elevated permissions and surf to http://localhost/certsrv;
2. Go to Internet Options > Security > Local Intranet > Sites > Advanced > Add this website to the zone http://localhost/certsrv > Add > Close > OK;
   
3. Set the Security level for this zone to Low:
   
4. > Apply > OK. Restart IE, again with ELEVATED permissions.

Now you can submit your certificate requests successfully after you answer these two dialogs positively:

> Yes.

And:

> Yes.