The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate renewal. In both cases, the client computer submits the request to the Web service and the Web service submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web service account must be trusted for delegation in order to present the client identity to the CA.

The Certificate Enrollment Web Service accepting requests from the Internet presents an increased security risk, and some organizations may choose not to trust the Web service account for delegation. The Certificate Enrollment Web Service can be configured for renewal-only mode to mitigate the risk of accepting requests from the Internet.

In renewal-only mode, the Web service will accept only certificate renewal requests, and requests for new certificates will be rejected. To support renewal-only mode, the CA must be configured to authenticate the client computer by using the signature on the renewal request and the client computer's existing certificate. In this configuration, there is no requirement to trust the Web service account for delegation.

Renewal-only mode has these requirements:

  • Enterprise CA running Windows Server 2008 R2.

  • Client computers running Windows 7 or Windows Server 2008 R2.

  • Client computers requesting certificate renewal must have a certificate that is not expired and can be verified by the issuing CA.

Enterprise Admins is the minimum group membership required to complete this procedure.

To configure the Certificate Enrollment Web Service for renewal-only mode
  1. Open Server Manager.

  2. In the console tree, click Roles.

  3. If Active Directory Certificate Services is displayed on the Roles Summary page, click Add Role Services, and continue to the next step. If it is not displayed, complete the following steps before continuing:

    1. On the Roles Summary page, click Add Roles.

    2. On the Before You Begin page, click Next.

    3. On the Select Server Roles page, click Active Directory Certificate Services, and then click Next.

    4. Review the information on the Introduction to Active Directory Certificate Services page, and then click Next.

  4. On the Select Role Services page, select the Certificate Enrollment Web Service check box.

    Note

    The Certification Authority role service is automatically selected when the AD CS role is added, but it cannot be installed at the same time as the Certificate Enrollment Web Service. If you intend to install both the CA and the Certificate Enrollment Web Service, complete the CA installation first. See Setting Up Active Directory Certificate Services.

  5. Click Add Required Role Services when prompted to install required role services and features, and then click Next.

  6. To specify a CA, click either CA name or Computer name, and then click Browse. Select a CA or type a computer name, and then click OK.

  7. Select the Configure the Certificate Enrollment Web Service for renewal-only mode check box.

  8. On the Select Authentication Type page, click Username and password or Client certificate authentication.

  9. On the Specify Account Credentials page, click either Specify service account or Use built-in application pool identity. To specify a service account, click Select, type a domain account user name and password, and click OK. Click Next.

  10. Select an existing server certificate, click Import to import a certificate file or click Choose and assign a server certificate later, and then click Next. See Configuring Server Certificates for Certificate Enrollment Web Services for details.

  11. On the Introduction to Web Server (IIS) page, click Next.

  12. On the Select Role Services page, review the selected role services, and then click Next.

  13. Review the information on the Confirm Installation Selections page, and then click Install.

  14. Review the Installation Results page for messages. Additional tasks may be required to configure the Certificate Enrollment Web Service before users can submit requests.

Use these commands to configure and restart Active Directory Certificate Services. In this configuration, the CA can also process requests for new certificates.

To configure the CA to support renewal-only mode
  1. On the CA at a command prompt, type certutil –setreg policy\editflags +enablerenewonbehalfof, and press ENTER.

  2. Open the Certification Authority snap-in.

  3. In the console tree, right-click the CA, and then click Properties.

  4. Click the Security tab.

  5. If the Web service account is displayed in Group or user names, verify that the Read permission is selected. If the Web service account is not displayed, complete the following steps:

    1. Click Add.

    2. Type the account name, and click Check Names. If the name is not found, click Object Types, and ensure that the correct account type is selected. Click OK after the correct account name is found.

    3. Select the Read check box, and then click OK.

  6. Type sc stop certsvc, and press ENTER.

  7. Type sc start certsvc, and press ENTER.

Additional references