AD CS: Web Enrollment
Updated: April 7, 2010
Applies To: Windows Server 2008
A number of changes have been made to certificate Web enrollment support in the Windows Server® 2008 operating system. These changes result from the replacement of the previous ActiveX® enrollment control in Windows Vista® and Windows Server 2008 with a new enrollment control. The following sections describe these changes and their implications.
Certificate Web enrollment has been available since its inclusion in Windows® 2000 operating systems. It is designed to provide an enrollment mechanism for organizations that need to issue and renew certificates for users and computers that are not joined to the domain or not connected directly to the network, and for users of non-Microsoft operating systems. Instead of relying on the autoenrollment mechanism of a certification authority (CA) or using the Certificate Request Wizard, the Web enrollment support provided by a Windows-based CA allows these users to request and obtain new and renewed certificates over an Internet or intranet connection.
This feature applies to organizations that have public key infrastructures (PKIs) with one or more CAs running Windows Server 2008 and clients running Windows Vista and that want to provide users with the ability to obtain new certificates or renew existing certificates by using Web pages.
Adding support for Web enrollment pages can significantly enhance the flexibility and scalability of an organization's PKI; therefore, this feature should interest PKI architects, planners, and administrators.
The previous enrollment control, XEnroll.dll, has been replaced in Windows Vista and Windows Server 2008 with a new enrollment control, CertEnroll.dll. Although the Web enrollment process takes place essentially as it has for Windows 2000, Windows XP, and Windows Server 2003, this change in enrollment controls can impact compatibility when users or computers running Windows Vista or Windows Server 2008 attempt to request a certificate by using Web enrollment pages installed on those earlier versions of Windows.
XEnroll.dll is being retired for the following reasons:
XEnroll.dll is a legacy control that was written years ago and is not considered as secure as controls written more recently.
XEnroll.dll has one monolithic interface that exposes various sets of functionality. It has more than 100 methods and properties. These methods and properties were added over the years, and calling one function can change the behavior of another function, which makes it very difficult to test and maintain.
In contrast, CertEnroll.dll was created to be more secure, easier to script, and easier to update than XEnroll.dll.
|XEnroll.dll can continue to be used for Web enrollment on computers running Windows 2000, Windows XP, and Windows Server 2003.|
Windows Server 2008–based CAs will continue to support certificate Web enrollment requests from users on Windows XP and Windows Server 2003 client computers. If you are enrolling certificates through the Windows Server 2008 Web enrollment pages from a computer running Windows XP, Windows Server 2003, or Windows 2000, the Web enrollment pages will detect this and use the Xenroll.dll that was installed locally on the client computer. However, the following client behaviors will be different from those in earlier versions of Windows:
The enrollment agent capability (also referred to as the smart card enrollment station) was removed from Web enrollment in Windows Server 2008 because Windows Vista provides its own enrollment agent capability. If you need to perform enrollment on behalf of another client with a Windows Server 2008 Web enrollment, you should use computers running Windows Vista as enrollment stations. Alternatively, you can use a Windows Server 2003–based server with Web enrollment installed and use that server as an enrollment agent to enroll certificates through a Windows Server 2008–based CA.
Only users of Internet Explorer version 6.x or Netscape 8.1 Browser can submit certificate requests directly through the Web enrollment pages. Users of other Web browsers can still submit enrollment requests by using the Web enrollment pages, but they must first create a PKCS #10 request before submitting it through the Web enrollment pages.
Certificate Web enrollment cannot be used with version 3 certificate templates (which are being introduced in Windows Server 2008 to support the issuance of Suite B-compliant certificates).
Internet Explorer cannot run in the local computer's security context; therefore, users can no longer request computer certificates by using Web enrollment.
To configure a server for certificate Web enrollment support, the Certification Authority Web Enrollment role service needs to be added to the server role. If the Web enrollment support is installed on the same computer as the CA, no additional configuration steps are required. If the Web enrollment role service and the CA are installed on different computers, the CA needs to be identified as part of the Web enrollment installation. After the Web enrollment role service is installed, a new Web site named "CertSrv" is available through Internet Information Services (IIS).
Non-Microsoft Web enrollment pages will be heavily impacted because XEnroll.dll is not available on Windows Server 2008 or Windows Vista. Administrators of these CAs will have to create alternate solutions to support certificate issuance and renewal for client computers that use Windows Server 2008 and Windows Vista, while continuing to use Xenroll.dll for earlier versions of Windows.
Administrators also need to plan the appropriate configuration of their servers running IIS. IIS can only run in either 64-bit mode or 32-bit mode. If you install IIS on a server running the 64-bit version of Windows Server 2008, you must not install any 32-bit Web applications, such as Windows Server Update Services (WSUS), on that computer. Otherwise, the Web enrollment role service installation fails.