Setting Up Certificate Enrollment Web Services

Applies To: Windows Server 2008 R2

Use Server Manager to install and configure the certificate enrollment Web services, which include the Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service. See "Additional references" for installation and configuration procedures.

Installation requirements

Before installing the certificate enrollment Web services, ensure that your environment meets these requirements:

• A host computer as a domain member running Windows Server 2008 R2.

• An Active Directory forest with a Windows Server 2008 R2 schema. See Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkID=93242).

• An enterprise certification authority (CA) running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003.

  • If the Certificate Enrollment Web Service is configured for client certificate authentication, the CA must be running Windows Server 2008 R2 or Windows Server 2008.

  • For enrollment across forests, the CA must be installed on a computer running Windows Server 2008 R2 Enterprise or Windows Server 2008 R2 Datacenter. See Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries.

• Client computers running Windows 7 or Windows Server 2008 R2.

• A Server Authentication certificate installed for HTTPS.

During installation of certificate enrollment Web services, the following server roles and features will be installed if they are not already installed:

• Web Server (IIS)

• Microsoft .NET Framework version 3.5

Installation options

The following installation options are available for the certificate enrollment Web services:

• The Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service should be installed on different computers.

• The CA can be installed on the same computer as the Certificate Enrollment Web Service or the Certificate Enrollment Policy Web Service.

• The Certificate Enrollment Web Service or the Certificate Enrollment Policy Web Service can be installed on the same computer as these other Web-based AD CS role services:

  • CA Web Enrollment

  • Network Device Enrollment Service

  • Online Responder

• The Certificate Enrollment Policy Web Service can be installed on multiple computers in an enterprise; however, only a single instance of this service can be installed on each computer.

• Multiple instances of the Certificate Enrollment Web Service can be installed on a single computer in order to support multiple CAs.

• The certificate enrollment Web services are not supported on the Server Core installation option of Windows Server 2008 R2.

Authentication options

The following authentication options are available for the certificate enrollment Web services:

• Windows integrated authentication

• User name and password

• Client certificate

Additional references

• Installing the Certificate Enrollment Web Service

• Installing the Certificate Enrollment Policy Web Service

• Configuring Server Certificates for Certificate Enrollment Web Services

• Configuring Group Policy to Support the Certificate Enrollment Policy Web Service

• Configuring Delegation Settings for the Certificate Enrollment Web Service Account

• Configuring the Certificate Enrollment Web Service for Renewal Only Mode

• Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries

• Advanced Configuration Options for the Certificate Enrollment Web Services

• Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkID=93242)