Page tree




Certificate Download Requirements

FIS System Requirements

  • WINDOWS XP, 2000, WINDOWS Vista (with SP 2 installed) supported, Windows 7
  • Internet Explorer v 6.x, 7.x, 8 (Note: WINDOWS does not support IE6 on VISTA)
  • Permissions to install an ActiveX control on the browser


Add Exostar as Trusted Site

The section describes the steps to add Exostar to the Internet Explorer (IE) list of trusted internet sites. The process differs between IE 6.0 and IE 7.0. Details of each version are provided below.

NOTE: Internet Explorer 6 is not supported on the Windows Vista OS. As such, the IE6 settings described in this section only apply when using the Exostar ActiveX component on Windows 2000 or Windows XP.


Internet Explorer 6.0 Settings

Step 1.  Launch Internet Explorer.

Step 2.  Select Internet Options from the Tools menu. This opens a tabbed dialog that allows you to view and modify Internet Explorer settings.

Step 3.  Select the Security tab, and then select the Trusted sites Web content zone.

Step 4.  Click the Sites... button. This opens a window that allows the entry of a trusted site. In the Add this Web site to the zone: edit box add the web site https://my.exostar.com. Click the OK button to close this window and return to the Security tab.

NOTE: This Website may have previously been added as a trusted site so performing this step may be unnecessary.

Step 5.  Click the Custom Level… button towards the bottom of the Security tab to display the Security Settings window.

Step 6.  Follow the table below to verify and change if needed, settings that allow the download and use of Exostar ActiveX controls:

SectionSetting NameRequired Value
ActiveX controls and plug-insAllow previously unused ActiveX controls to run without promptEnable

Automatic prompting for ActiveX controlsEnable

Binary and script behaviorsEnable

Download signed ActiveX controlsEnable

Run ActiveX controls and plug-insEnable

Script ActiveX controls marked safe for scriptingEnable
MiscellaneousDon’t prompt for client certificate when no certificates or only one certificate existsEnable

Use Popup Blocker*Disable

NOTE: The Use Popup Blocker setting disables popup blocking for all Websites in the Trusted Internet zone. Alternatively, popup blocking can be disabled specifically for the Exostar website by adding the Exostar website to the list of sites not blocked by the popup blocker functionality in Internet Explorer.

Step 7.  Click OK to close the zone setting dialog.

Step 8.  The Exostar Identity and Access Management (IAM) Platform (formerly known as MAG) product takes advantage of the advanced security features of the TLS 1.0 protocol. To enable use of this protocol, click the Advanced tab on the Internet Explorer options dialog, then scroll down to the Security section. Check the Use TLS setting, if it is not already checked.


Internet Explorer 7.0, 8, 9 Settings

Step 1.  Launch Internet Explorer.

Step 2.  Select Internet Options from the Tools menu. This opens a tabbed dialog that allows you to view and modify Internet Explorer settings.

Step 3.  Select the Security tab, and then select the Trusted sites Web content zone.

Step 4.  Click the Sites button. This opens a window that allows the entry of a trusted site. In the Add this website to the zone: edit box.  Add the web site https://my.exostar.com/. Click the OK button to close this window and return to the Security tab.

NOTE: This website may have previously been added as a trusted site so performing this step may be unnecessary.

Step 5.  Click the Custom Level button towards the bottom of the Security tab to display the Security Settings window.

Step 6.  Follow the table below to verify and change if needed, settings that allow the download and use of Exostar ActiveX controls:

SectionSetting NameRequired Value
ActiveX controls and plug-insAllow previously unused ActiveX controls to run without promptEnable

Automatic prompting for ActiveX controlsEnable

Binary and script behaviorsEnable

Download signed ActiveX controlsEnable

Run ActiveX controls and plug-insEnable

Script ActiveX controls marked safe for scriptingEnable
MiscellaneousDon’t prompt for client certificate when no certificates or only one certificate existsEnable

Use Popup Blocker*Disable

NOTE: The Use Popup Blocker setting disables popup blocking for all Websites in the Trusted Internet zone. Alternatively, popup blocking can be disabled specifically for the Exostar website by adding the Exostar website to the list of sites not blocked by the popup blocker functionality in Internet Explorer.

On Windows Vista operating systems, there is an additional setting on the Security page which is used to enable or disable Protected Mode For Trusted Sites, Protected Mode is disabled by default. To use the Exostar ActiveX control, please ensure the Enable Protected Mode setting is not checked.

Step 7.  The Exostar Identity and Access Management Platform (IAM formerly known as MAG) product takes advantage of the advanced security features of the TLS 1.0 protocol. To enable use of this protocol, click the Advanced tab on the Internet Explorer options dialog, then scroll down to the Security section. Check the Use TLS setting, if it is not already checked.


System Permissions

The section describes the system permissions that must be granted (typically by a network or security administrator) to the logged on user’s account. Please reach out to your network or security administrator to review these permissions.


Registry Permissions

The account logged into the Windows interactive desktop must have read-write permissions to an area of the system registry used to maintain information about ActiveX controls. Specifically, the account must have permissions to the HKEY_CLASSES_ROOT\CLSID registry hive.

     NOTE: This hive is a mirror of the HKEY_LOCAL_MACHINE\Software\Classes hive; changes made to either hive are reflected in the other hive.

The following specific permissions must be allowed:

  • Query Value, Set Value
  • Create Subkey
  • Enumerate Subkeys
  • Read Control


File System Permissions

The account logged into the Windows interactive desktop must have read-write permissions to the file system Windows\ Downloaded Program Files folder. This folder is used to store ActiveX controls downloaded by Internet Explorer.


Certificate Store Permissions

A Microsoft-generated dialog box may display during FIS certificate installation if the logged on user does not have permissions to write a trusted root certificate to the system’s trusted root certificate store. The user must click Yes on this dialog for FIS certificates to install correctly. This section provides detailed information concerning this issue. As part the certificate acquisition process for an FIS user, an attempt is made by the Exostar ActiveX control to download and install one or more digital certificates in the certificate store of the user’s system. Each certificate downloaded can be one of two general types:

  • Certificates issued to the FIS user (FIS end user certificates) that are installed in the user’s personal certificate store.
  • Certificates that may be used to trace the user certificate to a trusted root authority (trusted root authority certificates) installed in the systems Trusted Root Certification Authorities certificate store (or Trusted Root Store for short).

Scenarios:

  • If the logged in user, i.e. the FIS user attempting to obtain an FIS certificate does have permissions to store the trusted root authority certificates in the Trusted Root Store, the certificate installation process completes successfully.
  • If the logged in user, i.e. the FIS user attempting to obtain an FIS certificate does not have the permissions to store the trusted root authority certificates in the Trusted Root Store, the FIS certificate download and install process can still proceed successfully, however due to a known Microsoft issue, the process may require an additional interactive step by the user.
  • If the logged in user, i.e. the FIS user does not have the permissions to store the trusted root authority certificates in the Trusted Root Store, an informational dialog box may be generated by the Microsoft operating system during the certificate installation process. The Microsoft dialog box is intended to alert the user an attempt to install a certificate in the Trusted Root Store is being made and allows the user to proceed with the operation or cancel it.


Due to a known Microsoft issue (documented in the Microsoft Knowledge Base article #940275) the dialog displays and does not contain the intended informational message. Instead of a blank, not so informational message, the message should display as follows: You are about to install a certificate from a certification authority (CA) claiming to represent: CANameCertificate_Information Do you want to install this certificate? The missing message text makes the dialog very confusing to the end user. In order for FIS certificate installation to complete successfully, the FIS user must click the Yes button on the Microsoft dialog box.

IMPORTANT: The confusing dialog box only displays under the following conditions:

  • The logged on user does not have permissions to store a trusted root certificate in the system’s trusted root certificate store.
  • The trusted root certificate does not already exist in the trusted root store. If the certificate already exists, then no attempt to install is made and therefore the Microsoft dialog will not display.


Exostar ActiveX Installer

In certain situations, the FIS user may not be able to obtain some or all of the permissions needed to download and install the Exostar ActiveX XEnrollPlus control via a web browser. To handle these situations, System Administrators can use a Microsoft installer-based package (MSI) to install the Exostar ActiveX control. There are three versions of the installer currently available:

  • One for Windows 2000 platforms
  • One for Windows XP
  • One for Windows Vista


Each version of the installer contains two files:

  1. setup.exe: This file is used to check and report whether the local system meets the requirements to successfully run the Exostar ActiveX control and to launch the Windows Installer to install the ActiveX control.
  2. MSI extension file: This file can be run directly without running Setup.exe first. The Windows Installer is used to install the Exostar ActiveX control.


Launch ActiveX Installer

This section describes how to perform an Exostar ActiveX installation via the Exostar ActiveX installer, manually on a single desktop PC.

To install:

Step 1.  Determine the Windows operating system of the desktop PC the Exostar ActiveX control will be installed on.

Step 2.  If installing on a:

  • Windows Vista operating system, double click the XEnrollPlusVistaMSI.msi file located on the distribution media.
  • Windows XP operating system, double click the XEnrollPlusMSI.msi file located on the distribution media.
  • Windows 2000 operating system, double click the XEnrollPlusWin2k.msi file located on the distribution media.

Step 3.  The Windows installer launches and runs the Exostar ActiveX installer.

Step 4.  The Welcome to the Exostar Certificate Issuance Control Setup Wizard screen displays. Click the Next button to continue the installation.

Step 5.  On the next screen select the Everyone option. Click Next.

NOTE: The ActiveX control software is installed in the C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control folder. Click the Browse button to select another location if desired.

Step 6.  Continue the installation process by clicking the Next button on the Confirmation page . This ActiveX control is installed in the location specified in step 5 above.

Step 7.  When the installation process is complete, the Installation Complete page displays. Click Close.


Verify ActiveX Installation

This section describes the steps you can perform to verify the Exostar ActiveX control installed (via the Exostar Installer MSI) correctly.

NOTE: The Exostar ActiveX control does not display in the objects list shown by Internet Explorer since the ActiveX control was not downloaded and installed via the browser.

Step 1.  Verify the file is installed in the OS file system. The default location for the ActiveX control is: C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control. Verify the file exists in this folder.

NOTE: if a different installation folder was selected during the installation process, please verify the control’s file exists in the selected folder.

Step 2 (Optional).  Verify the control is registered in the system registry using a registry editing/viewing tool ex. regedit.exe.

WARNING: Serious problems may occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you reinstall the operating system. Exostar cannot guarantee these problems can be solved. View the registry at your own risk OR work with your Network or Security Administrator.

Step 3.  Locate the registry hive: HKEY_CLASSES_ROOT\CLSID\{3AFD96BC-5BB9-4614-B0D1-AE48A331E3E2}. Under this hive, find the InprocServer32 hive. This default registry key in this hive should have the following value: C:\Program Files\Exostar LLC\Exostar Certificate Issuance Control\XEnrollPlus.dll.

NOTE: This value will be different than shown above if another folder was selected during installation.

Step 4.  If successfully installed, and browser setting (as described earlier in this document) are set to allow the use and scripting of ActiveX controls, then no ActiveX-related errors should display when certificate requests via the FIS application are processed.


Common Errors

Some common errors encountered while downloading the ActiveX controls or the certificates are listed below. Please review this section before reaching out to Exostar.


Attempting to Download ActiveX components when a Website is not in the Trusted Sites Zone

When a Web page refers to an ActiveX control not currently present on your computer, the messages and prompts that display to a user depend on a number of factors, including the Security Zone assigned to the Website, the security settings for ActiveX for that zone, the Internet Explorer version, and the operating system version. For example, Internet Explorer running on a Windows XP/SP2 platform makes use of an Information Bar to display status to the user.


This section reviews some of the messages that may display when an attempt to download an ActiveX control occurs.

NOTE: If the Exostar website is added to the Internet Explorer Trusted Sites zone and this zone is configured as described above, the prompts and messages explained below will not display.

The intent of this section is to help troubleshoot issues when a message is displayed to the user during ActiveX download.


Issue #1: Exostar website is not in the trusted zone.

To proceed from this error:

Step 1.  Click Close on the Information bar warning.

Step 2.  Right-click the Information Bar and select Install ActiveX control.

Step 3.  The Do you want to install this software? dialog box below displays. Click the Install button to download and install the ActiveX.


Issue #2: Exostar website is in the trusted zone. Download signed ActiveX controls setting for this zone is set to prompt.

To proceed from this error:

Step 1.  Internet Explorer displays the Do you want to install this software? dialog box. Click the Install button to download and install the ActiveX.


Issue #3: Exostar website is in the trusted zone. Run ActiveX controls and plug-ins setting for this zone is set to prompt.

To proceed from this error:

Step 1.  Internet Explorer displays the Do you want to allow software such as ActiveX controls and plug-ins to run? dialog box. Click Yes to allow the ActiveX control to run.


Issue #4: I am trying to download the certificates and receive an error message: “The ActiveX Control is not installed or is not running. You need to install it or run it before you can proceed”.

This error displays when you attempt to download digital certificates and the Exostar ActiveX control is blocked/cannot be downloaded. The most common causes for this error are Internet Explorer settings and/or system level permissions not set correctly, and therefore do not allow the download and use of Exostar’s ActiveX control.

How useful was this content?

Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 9 rates