Firefox Autoenrollment With A Microsoft CA

If you’re running a Microsoft CA and you want to be able to accept enrollment requests from clients supporting keygen (Firefox, Safari, Opera, et cetera) you’ve probably found that the /certsrv/ page allows enrollment, but the requests fail when you attempt to issue the certificate.  This is because the server is not parsing the subject attributes from the request.  To fix this, run the following on your server as administrator on the command line.

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

You can also set your server to auto-issue on request for certain certificate profiles.  To do this add the CA snap-in and get properties of your CA. Under the policy module tab click properties again and click the “Follow the settings..” radio button.