As part of joining PKI Solutions, several blog posts from my old site are re-posted here for visibility and thoroughness.

When you try to download CA certificate from web enrollment pages you get a prompt message with unreadable proposed file name:

Do you want to save certnew_cer?ReqID=CACert&Renewal=1&Enc=bin (1,09 KB) from 

And when you press ‘Save’ button in the save file dialog nothing happens and file is not saved. You cannot close ‘Save File’ pop-up prompt even if you press ‘Cancel’ button.

CAUSE

This issue occurs if you are using operating system listed in the ‘Applies to‘ section and Internet Explorer with enabled Enhanced Security Configuration (ESC). Internet Explorer ESC applies strict security settings which prevent you from downloading CA certificate from web enrollment pages. For more information about IE ESC feature please read this article: Internet Explorer: Enhanced Security Configuration

RESOLUTION

You need to disable Internet Explorer Enhanced Security Configuration.

• Logon to the server with local administrator permissions;
• Click Start, Administrative Tools and click Server Manager;
• On the right pane click ‘Configure IE ESC‘ link
• In the opened dialog box disable Internet Explorer ESC for appropriate group (Administrators and/or regular users).
• Click Ok and restart Internet Explorer.

You should not disable Internet Explorer ESC for Administrators group. This is because by disabling this feature you increase the exposure of your server to potential attacks that can occur through Web content and application scripts. Instead you should access web enrollment pages by using regular user account and disable IE ESC for regular users only.

---

WORKAROUND

In an Active Directory environment you should avoid web enrollment pages usage directly from servers. For management purposes you should use administrative computer that runs client operating system (Windows Vista/7) and with installed Remote Server Administration Tools (RSAT).