Set up certification authority Web enrollment support

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To set up certification authority Web enrollment support

  1. Log on to the system as an Administrator, or if you have the Active Directory directory service, log on to the system as a Domain Administrator.

  2. Open Add or Remove Programs in Control Panel.

  3. Click Add/Remove Windows Components.

  4. In the Windows Components Wizard, select the Certificate Services check box. A dialog box appears to inform you that the computer cannot be renamed and that the computer cannot be joined to or removed from a domain after Certificate Services is installed. Click Yes, and then click Details.

  5. Clear the Certificate Services CA check box, verify that the Certificate Services Web Enrollment Support check box remains selected, click OK, and then click Next.

  6. In Computer Name, type in the name of the computer on which the certification authority (CA) is installed, the CA for which these Web enrollment pages will be used. The name of the CA will appear in the list. Click Next.

  7. If Internet Information Services is running, the system will request that you stop the service before proceeding with the installation. If this happens, click Yes.

  8. If prompted, type in the path to the Certificate Services installation files.

Notes

  • If you installed the CA Web enrollment pages on a computer that is not a CA, the computer account must be trusted for delegation in Active Directory. For more information on trusting a computer for delegation, see Related Topics.

  • CA Web enrollment pages are installed by default when you set up Certificate Services on a server that has Internet Information Services (IIS) installed. This procedure is necessary only if you want to install the CA Web enrollment pages on a server that is separate from the server on which the CA is installed.

  • If you installed the CA Web enrollment pages before installing IIS, the required virtual roots are not created. You can create the virtual roots after installing IIS by typing certutil -vroot at a command prompt. The command certutil -vroot does not install the Web enrollment pages. It creates the IIS virtual roots which point to the Web enrollment pages, CA certificate, CRLs, and enrollment controls (xenroll.dll and scrdenrl.dll).

    For more information on creating or deleting the related set of Certificate Services Web server virtual roots and file shares, see Certutil tasks for configuring a Certification Authority (CA).

  • When you initially install IIS, the service is installed in a highly secure mode. Because IIS only serves static content by default, you must enable features such as ASP. To enable ASP and allow the CA Web enrollment pages to work correctly, see Enabling and Disabling Dynamic Content in Microsoft Internet Information Services.

  • Installation of the Web enrollment pages configures the computer as a registration authority (RA). This computer is also known as a "CA Web proxy" or a "Web enrollment station."

  • To open Add/Remove Windows Components, click Start, click Control Panel, double-click Add or Remove programs, and then click Add/Remove Windows Components.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

User and computer accounts
Certutil tasks for configuring a Certification Authority (CA)
Certification authority Web enrollment services
Installing and configuring a certification authority
Using Windows 2000 Certificate Services Web pages
Using Windows Server 2003 Certificate Services Web pages
Use Windows Server 2003 Certificate Services Web Pages