Certificate Enrollment Policy Web Service Overview

Applies To: Windows Server 2008 R2

The Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.

The Certificate Enrollment Policy Web Service uses the HTTPS protocol to communicate certificate policy information to network client computers. The Web service uses the LDAP protocol to retrieve certificate policy from Active Directory Domain Services (AD DS) and caches the policy information to service client requests. In previous versions of AD CS, certificate policy information can be accessed only by domain client computers that are using the LDAP protocol. This limits policy-based certificate issuance to the trust boundaries established by AD DS forests.

Publishing enrollment policy over HTTPS enables the following new deployment scenarios:

  • Certificate enrollment across forest boundaries to reduce the number of certification authorities (CAs) in an enterprise.

  • Extranet deployment to issue certificates to mobile workers and business partners.

Additional references