Certification Authority Web Enrollment Guidance

  • Article

 

Applies To: Windows Server 2012 R2, Windows Server 2012

The Certification Authority (CA) Web Enrollment role service provides a set of web pages that allow interaction with the Certification Authority role service. These web pages are located at https://<servername>/certsrv, where <servername> is the name of the server that hosts the hosts the CA Web Enrollment pages. The certsrv portion of the URL should always be in lowercase letters; otherwise, users may have trouble checking and retrieving pending certificates.

Note


The CA Web Enrollment role service pages require that you secure them with secure sockets layer (SSL) / transport layer security (TLS)> If you do not, you will see an error: "In order to complete the certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication." To resolve this issue, you must configure HTTPS authentication, which is discussed in the TechNet Wiki article: Active Directory Certificate Services (AD CS): Error: "In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication".

The CA Web Enrollment role service pages allow you to connect to the CA by using a web browser and performing common tasks, such as:

  • Requesting certificates from the CA.

  • Requesting the CA's certificate.

  • Submitting a certificate request by using a PKCS #10 file.

  • Retrieving the CA's certificate revocation list (CRL).

CA Web Enrollment is useful when you interact with a stand-alone CA because the Certificates Microsoft Management Console (MMC) snap-in cannot be used to interact with a stand-alone CA. Enterprise CAs can accept certificate requests through the Certificates snap-in or the CA Web Enrollment role service pages.

Starting in Windows Server® 2008, the CA Web Enrollment role service includes updated sample web pages for web-based certificate enrollment operations. These web pages are updated to work together with the CertEnroll component (available starting with Windows Vista). These web pages also work together with Xenroll.

The certificate enrollment Web pages starting in Windows Server 2008 detect the client operating system and then select the appropriate control.

  • If a client computer is running Windows Server 2003 or Windows XP, the certificate enrollment web pages use Xenroll.

  • If the client computer is running at least Windows Vista® or Windows Server 2008, the CA Web Enrollment role service uses CertEnroll.

Important


In Windows® 8, CA Web Enrollment pages will work only with Internet Explorer 10 for the desktop. Starting in Windows Server 2012 R2, client computers that run Windows XP are not supported for web enrollment.

For more information about CertEnroll and Xenroll, see the following:

CA for Web Enrollment

You can install CA Web Enrollment on a server that is not a CA to separate web traffic from the CA. Installing CA Web Enrollment configures the computer as an enrollment registration authority. You must select a CA to be used with the CA Web Enrollment pages. The CA that CA Web Enrollment uses is called the Target CA in the user interface. You can select the target CA by using the CA name or the computer name that is associated with the CA. Click the Select button to locate the CA that you want to use.

Web Enrollment Configuration

If you install the CA Web Enrollment pages on a computer that is not the target CA, the computer account where the CA Web Enrollment pages are installed must be trusted for delegation. See the following resources for more information:

Tip


If CA Web Enrollment pages installation fails on a migrated CA, it could be that the setup status in the registry is incorrectly set. For more information, see Certification Authority Web Enrollment Configuration Failed 0x80070057 (WIN32: 87)

Use the CA Web Enrollment pages

If you have been granted access permissions, you can perform the following tasks from the CA Web Enrollment pages:

  • Request a basic certificate.

  • Request a certificate with advanced options.

    This gives you greater control over the certificate request. Some of the user-selectable options that are available in an advanced certificate request include:

    • Cryptographic service provider (CSP) options. The name of the cryptographic service provider, the key size (1024, 2048, and so on), the hash algorithm (such as SHA/RSA, SHA/DSA, MD2, or MD5) and the key specification (exchange or signature).

    • Key generation options. Create a new key set or use an existing key set, mark the keys as exportable, enable strong key protection, and use the local computer store to generate the key.

    • Additional options. Save the request to a PKCS #10 file or add specific attributes to the certificate.

  • Check a pending certificate request. If you have submitted a certificate request to a stand-alone certification authority, you need to check the status of the pending request to see if the certification authority has issued the certificate. If the certificate has been issued, it will be available for you to install it.

  • Retrieve the certification authority's certificate to place in your trusted root store or install the entire certificate chain in your certificate store.

  • Retrieve the current base and delta CRLs.

  • Submit a certificate request by using a PKCS #10 file or a PKCS #7 file.

    Note


    In general, you use a PKCS #10 file to submit a request for a new certificate and a PKCS #7 file to submit a request to renew an existing certificate. Submitting requests with files is useful when the certificate requester is unable to submit a request online to the certification authority.

Note

  • You might need to make https://servername a trusted site for Internet Explorer to browse for a file on the computer's hard disk drive. To make https://servername a trusted site, in Internet Explorer, click Tools, then point to Internet Options, point to Security, point to Trusted Sites, and click Sites. Type https://<servername>, and click OK. Replace <servername> with the actual host name of the server to which you want to connect. If you typically use the fully qualified domain name (FQDN) to connect to the server, create your entry by using that instead or in addition to the host name.
  • If you submit the request, and you immediately get a message that asks if you want to submit the request even though it does not contain a BEGIN or END tag, click OK.

    • Request a basic certificate

    To use Internet Explorer to request a basic certificate

    1. In Internet Explorer, connect to https://<servername>/certsrv, where <servername> is the host name of the computer running the CA Web Enrollment role service.

    2. Click Request a certificate.

    3. On Request a Certificate, click User Certificate.

    4. On the User Certificate Identifying Information page, do one of the following:

      • Comply to the message "No further identifying information is required. To complete your certificate, press Submit."

      • Enter your identifying information for the certificate request.

    5. (Optional) Click More Options to specify the cryptographic service provider (CSP) and choose if you want to enable strong private key protection. (You receive a prompt every time you use the private key that is associated with the certificate.)

    6. Click Submit.

    7. Do one of the following:

      • If you see the Certificate Pending page, the CA administrator will have to approve the request before you can retrieve and install the certificate.

      • If you see the Certificate Issued page, click Install this certificate.

    Request a certificate with advanced options

    To use Internet Explorer to create an advanced certificate request

    1. In Internet Explorer, connect to https://<servername>/certsrv, where <servername> is the host name of the computer running the CA Web Enrollment role service.

    2. Click Request a certificate.

    3. Click Advanced certificate request.

    4. Click Create and submit a certificate request to this CA.

    5. Fill in the requested identifying information and other options that you require.

    6. Click Submit.

    7. Do one of the following:

      • If you see the Certificate Pending page, the CA administrator will have to approve the request before you can retrieve and install the certificate.

      • If you see the Certificate Issued page, click Install this certificate.

    Check a pending certificate request

    To check a pending certificate request using Internet Explorer

    1. In Internet Explorer, open https://<servername>/certsrv, where <servername> is the hostname of the computer running the CA Web Enrollment role service.

    2. Click View the status of a pending certificate request.

    3. If there are no pending certificate requests, you will see a message to that effect. Otherwise, select the certificate request that you want to check, and click Next.

    4. Check the following pending certificate requests:

      • Still pending. You must wait for the administrator of the certification authority to issue the certificate. To remove the certificate request, click Remove.

      • Issued. To install the certificate, click Install this certificate.

      • Denied. Contact the administrator of the certification authority for further information.

    Retrieve the CA certificate

    To retrieve a CA certificate by using Internet Explorer

    1. In Internet Explorer, connect to https://<servername>/certsrv, where <servername> is the name of the computer running the CA Web Enrollment role service.

    2. Click Download a CA certificate, certificate chain, or CRL.

    3. Do one of the following:

      • If you want to trust all the certificates that are issued by this CA, click Install this CA certificate chain.

      • If the CA has been renewed, you have the choice of which version of the CA certificate you want to download.

    4. Select the encoding method that you want to use for the CRL: DER or Base 64.

    5. Under CA Certificate, click the CA certificate that you want to download, and then click Download CA certificate or click Download CA certificate chain.

    6. In File Download, click Open this file from its current location, and then click OK.

    7. When the Certificate dialog box appears, click Install this certificate.

    8. In the Certificate Import Wizard, click Automatically select the certificate store based on the type of certificate.

    Retrieve the current base and delta CRLs

    To retrieve a certificate revocation list by using Internet Explorer

    1. In Internet Explorer, connect to https://<servername>/certsrv, where <servername> is the name of the computer running the CA Web Enrollment role service.

    2. Click Download a CA certificate, certificate chain, or CRL.

    3. Click the encoding method that you want to use for the CRL, DER or Base 64.

    4. Do one of the following:

      • Click Download CA certificate.

      • Click Download CA certificate chain.

      • Click Download latest base CRL.

      • Click Download latest delta CRL.

        Note


        The latest base CRL must already be installed for the delta CRL to function.

    5. When the File Download dialog box appears, click Save. Select a folder on your computer to store the .crl file, and then click Save.

    6. Open Windows Explorer and locate the .crl file you just saved.

    7. Right-click the .cer or .crl file and click Install Certificate or Install CRL, and then click Next.

    8. When the Certificate Import Wizard opens, click Automatically select the certificate store based on the type of certificate.

    Submit a certificate request by using a PKCS #10 file or a PKCS #7 file

    To submit a certificate request by using a PKCS #10 or PKCS #7 file by using Internet Explorer

    1. In Internet Explorer, connect to https://<servername>/certsrv, where <servername> is the name of the computer running the CA Web Enrollment role service.

    2. Click Request a certificate, and then click Advanced certificate request.

    3. Click Submit a certificate request using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

    4. In Notepad, click File, click Open, select the PKCS #10 or PKCS #7 file, click Edit, click Select all, click Edit, and then click Copy. On the Web page, click the Saved request scroll box. Click Edit, and then click Paste to paste the contents of certificate request into the scroll box.

    5. If you are connected to an enterprise CA, choose the certificate template that you want to use. By default, the appropriate template is named Subordinate Certification Authority.

    6. If you have any attributes to add to the certificate request, enter them into Additional Attributes.

    7. Click Submit.

    8. Do one of the following:

      1. If you see the Certificate Pending web page, see Check a pending certificate request earlier in this document.

      2. If you see the Certificate Issued web page, click Download certificate chain. Choose to save the file to your hard disk drive, and then import the certificate into your certificate store.

    Related content