Certificate Enrollment Policy Web Service Guidance

 

Applies To: Windows Server 2012 R2, Windows Server 2012

This document provides additional information for the Server Manager configuration pages for the Certificate Enrollment Policy Web Service. For an overview of the service and its installation requirements, see Certificate Enrollment Web Service Guidance. For more information about the Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service, see Certificate Enrollment Web Services.

The remaining sections of this document provide more information for the configuration options that are presented when you use Server Manager to install the Certificate Enrollment Policy Web Service.

Note


To comment on this content or ask questions about the information presented here, please use our Feedback guidance.

Set the authentication type for Certificate Enrollment Policy Web Service

Clients that communicate with the Certificate Enrollment Policy Web Service must use one of the following authentication types:

  • Windows integrated authentication, also known as Kerberos authentication

  • Client certificate authentication, also known as X.509 certificate authentication

  • User name and password authentication

Note

  • If you want to configure key-based renewal, you must enable user name and password authentication or client certificate authentication.
  • Anonymous authentication to the web services is not supported.
  • Determine whether to enable key-based renewal for Certificate Enrollment Policy Web Service

    Key-based renewal mode is a feature introduced in Windows Server 2012 that allows an existing valid certificate to be used to authenticate a certificate renewal request. This enables computers that are not connected directly to the internal network the ability to automatically renew an existing certificate. To take advantage of this feature, the certificate client computers must be running at least Windows 8 or Windows Server 2012.

    Note


    When key-based renewal mode is enabled for the Certificate Enrollment Policy Web Service, it will not accept requests for new certificates. You can install multiple instances of the Certificate Enrollment Policy Web Service on Windows Server 2012, but you must use the Windows PowerShellInstall-AdcsEnrollmentPolicyWebService to install additional instances.

    Server Certificate

    The Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service must use Secure Sockets Layer (SSL) for communication with clients (by using HTTPS). Each service must have a valid certificate that has an enhanced key usage (EKU) policy of Server Authentication in the local computer certificate store.

    Note


    If you have not yet provided an SSL certificate to the server that is hosting the Certificate Enrollment Web Service, you can do so by following the instructions in the article Configure SSL/TLS on a Web site in the domain with an Enterprise CA.

    Certificate Enrollment Policy Web Service Configuration

    After you install the Certificate Enrollment Policy Web Service, there are two additional configuration steps to complete.

    1. Configure a friendly name value for the Certificate Enrollment Policy Web Service.

    2. Configure Group Policy to enable use of the Certificate Enrollment Policy Web Service.

    To configure a friendly name value for the Certificate Enrollment Policy Web Service

    1. Open the Internet Information Services (IIS) Manager console.

    2. In the Connections pane, expand the web server that is hosting the Certificate Enrollment Policy Web Service.

      Note


      If you are asked to get started with the Microsoft Web Platform, click No.

    3. Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name. The name of the virtual application name varies with the type of installation that you performed. The variation is as follows:

      KeyBasedRenewal _ADPolicyProvider_CEP_ AuthenticationType

      For example:

      • KeyBasedRenewal_ADPolicyProvider_CEP_Certificate is the virtual application name if you enabled key-based renewal and configured client certificate authentication.

      • ADPolicyProvider_CEP_UsernamePassword is the virtual application name if you did not enable key-based renewal and you configured user name and password authentication.

      • ADPolicyProvider_CEP_Kerberos is the virtual application name if you did not enable key-based renewal and you configured Windows integrated authentication.

    4. In the virtual application name Home pane, double-click Application Settings, and then double-click FriendlyName.

    5. In the Edit Application Setting dialog box, under Value, type the name that you want to configure as a friendly name for the service. For example, you might type Client Certificate Enrollment as the friendly name for the service. Click OK.

    6. In the Application Settings pane, double-click URI. The value that is shown for URI is significant because that is the path that clients will use to connect to the service. Copy this value, because you will use it when you configure Group Policy. Click Cancel.

    7. Close the Internet Information Services (IIS) Manager console.

    To provide domain client users or their computers with the ability to obtain certificates using Certificate Enrollment Policy Web Services, you can set the URI that you obtained by using the previous procedure. This will allow domain clients to request certificates by using the Certificates console, without the clients having to know the URI to the Certificate Enrollment Policy Web Services virtual application name.

    Note


    Domain users could input the URI by configuring a custom certificate request, but this is typically not a practical solution because the URI is long and the procedure is complex. However, administrators can perform custom certificate requests to validate the configuration of the Certificate Enrollment Policy Web Service. For more information, see Certificate Enrollment Web Services

    To configure Group Policy to enable use of the Certificate Enrollment Policy Web Service

    1. Open the Group Policy Management console. To do so, from Server Manager, click Tools, and then click Group Policy Management.

      Note


      Ensure that you sign in by using an account with membership in Domain Admins or Enterprise Admins so that you can configure Group Policy settings. You can configure a Group Policy setting for the entire domain, an OU, or (if the account you are using is a member of Enterprise Admins), an entire site. The following instructions assume that you want to set a new Group Policy for the domain.

    2. Expand the forest that you want to target for the new Group Policy. Expand Domains. Right-click the domain, and then click Create a GPO in this domain, and link it here.

    3. In the New GPO dialog box, under Name, type a name that is appropriate for the new Group Policy Object (GPO), for example, Certificate Enrollment Policy Web Service Certificates. Click OK.

    4. Click the linked GPO that you just created. If you see a warning message about Group Policy Management Console, review the message, and then click OK.

    5. Right-click the linked GPO that you just created, and then click Edit.

    6. There are two types of certificates that you can distribute by using a GPO: computer certificates or user certificates. The following instructions describe setting the URI for both the Computer Configuration and User Configuration parts of the GPO. You can set either separately or set them both.

    7. To distribute certificates for computers, in the console pane, under Computer Configuration, click Policies, click Windows Settings, click Security Settings, and then click Public Key Policies.

      1. In the details pane, double-click Certificate Services Client - Certificate Enrollment Policy.

      2. Set Configuration Model to Enabled, and then click Add.

      3. In the Certificate Enrollment Policy Server dialog box, under Enter enrollment policy server URI, enter the URI that you copied in the previous procedure.

      4. In Authentication type, set the authentication type that you configured for the Certificate Enrollment Web Policy Service.

      5. Click Validate Server, and when the server is validated, click Add. Click OK.

        Note


        You can only validate the server if you have the appropriate credentials. This could be an issue if you have selected client certificate validation and you do not already have a certificate for the computer. If this is the case, you will first have to obtain a certificate for the computer. You will need a computer certificate with the following characteristics: Enhanced Key Usage Client Authentication 1.3.6.1.5.5.7.3.2.

    8. To distribute certificates for users, in the console pane, under User Configuration, click Policies, click Windows Settings, click Security Settings, and then click Public Key Policies.

      1. In the details pane, double-click Certificate Services Client - Certificate Enrollment Policy.

      2. Set Configuration Model to Enabled, and then click Add.

      3. In the Certificate Enrollment Policy Server dialog box, under Enter enrollment policy server URI, enter the URI that you copied in the previous procedure.

      4. In Authentication type, set the authentication type that you configured for the Certificate Enrollment Web Policy Service.

      5. Click Validate Server, and when the server is validated, click Add. Click OK.

        Note


        You can only validate the server if you have the appropriate credentials. This could be an issue if you have selected client certificate validation and you do not already have a certificate for the user. If this is the case, you will first have to obtain a certificate for the user. You will need a user certificate that includes an enhanced key usage (EKU) of Client Authentication with object ID (OID) 1.3.6.1.5.5.7.3.2.

    9. Close the Group Policy Management Editor and the Group Policy Management Console.

    1. Certificate Enrollment Web Service Guidance

    2. Windows Server Security Forum

    3. Active Directory Certificate Services (AD CS) Public Key Infrastructure (PKI) Frequently Asked Questions (FAQ)

    4. Windows PKI Documentation Reference and Library

    5. Windows PKI Blog

    Note


    To comment on this content or ask questions about the information presented here, please use our Feedback guidance.