Use Server Manager to install and configure the certificate enrollment Web services, which include the Certificate Enrollment Web Service and the Certificate Enrollment Policy Web Service. See "Additional references" for installation and configuration procedures.
Installation requirements
Before installing the certificate enrollment Web services, ensure that your environment meets these requirements:
- A host computer as a domain member running
Windows Server 2008 R2.
- An Active Directory forest with a Windows
Server 2008 R2 schema. See Prepare a Windows 2000 or
Windows Server 2003 Forest Schema for a Domain Controller That Runs
Windows Server 2008 or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242).
- An enterprise certification authority (CA)
running Windows Server 2008 R2, Windows
Server 2008, or Windows Server 2003.
- If the Certificate Enrollment Web Service is
configured for client certificate authentication, the CA must be
running Windows Server 2008 R2 or Windows
Server 2008.
- For enrollment across forests, the CA must be
installed on a computer running Windows Server 2008 R2
Enterprise or Windows Server 2008 R2 Datacenter. See
Configuring
Certificate Enrollment Web Services for Enrollment Across Forest
Boundaries.
- If the Certificate Enrollment Web Service is
configured for client certificate authentication, the CA must be
running Windows Server 2008 R2 or Windows
Server 2008.
- Client computers running Windows 7 or Windows
Server 2008 R2.
- A Server Authentication certificate installed
for HTTPS.
During installation of certificate enrollment Web services, the following server roles and features will be installed if they are not already installed:
- Web Server (IIS)
- Microsoft .NET Framework version 3.5
Installation options
The following installation options are available for the certificate enrollment Web services:
- The Certificate Enrollment Web Service and
the Certificate Enrollment Policy Web Service should be installed
on different computers.
- The CA can be installed on the same computer
as the Certificate Enrollment Web Service or the Certificate
Enrollment Policy Web Service.
- The Certificate Enrollment Web Service or the
Certificate Enrollment Policy Web Service can be installed on the
same computer as these other Web-based AD CS role
services:
- CA Web Enrollment
- Network Device Enrollment Service
- Online Responder
- CA Web Enrollment
- The Certificate Enrollment Policy Web Service
can be installed on multiple computers in an enterprise; however,
only a single instance of this service can be installed on each
computer.
- Multiple instances of the Certificate
Enrollment Web Service can be installed on a single computer in
order to support multiple CAs.
- The certificate enrollment Web services are
not supported on the Server Core installation option of Windows
Server 2008 R2.
Authentication options
The following authentication options are available for the certificate enrollment Web services:
- Windows integrated authentication
- User name and password
- Client certificate
Additional references
- Installing the
Certificate Enrollment Web Service
- Installing the
Certificate Enrollment Policy Web Service
- Configuring Server
Certificates for Certificate Enrollment Web Services
- Configuring Group Policy
to Support the Certificate Enrollment Policy Web Service
- Configuring Delegation
Settings for the Certificate Enrollment Web Service Account
- Configuring the
Certificate Enrollment Web Service for Renewal Only Mode
- Configuring Certificate
Enrollment Web Services for Enrollment Across Forest
Boundaries
- Advanced Configuration
Options for the Certificate Enrollment Web Services
- Prepare a Windows 2000 or Windows Server 2003
Forest Schema for a Domain Controller That Runs Windows Server 2008
or Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkID=93242)