Consider the following scenario:

• You have an untrusted root certification authority (CA).
• In a certificate enrollment Web page, you issue an end entity certificate that is chained to the untrusted root CA.
• The certificate enrollment Web page uses the InstallResponse method of the IX509Enrollment interface of the CertEnroll COM object to install the end entity certificate to a client computer.

In this scenario, when a user uses Windows Internet Explorer 7 to open the certificate enrollment Web page and install the end entity certificate on a Windows Vista-based client computer, the installation may fail. Additionally, the user may receive one of the following error messages from the InstallResponse method of the IX509Enrollment interface:

Error Code: E_ACCESSDENIED 0×80070005L
Error Message: “General access denied error”
This error occurs if the certificate response is installed using a InstallResponseRestrictionFlags such as AllowUntrustedRoot other than AllowNone.
Error Code: CERT_E_CHAINING 0×800B010AL
Error Message: “A certificate chain could not be built to a trusted root authority”
This error occurs if the certificate chain response contains an end entity certificate but not the complete certificate chain to a root CA.
Error Code: CERT_E_UNTRUSTEDROOT 0×800B0109L
Error Message: “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider”
This error occurs if the certificate chain response is containing the leaf end entity certificate chaining to an untrusted root CA.