MORE INFORMATION

Note The Server 2008 Certificate Web Enrollment pages are available as a hotfix. These files support certificate Web enrollment from Server 2008 clients and from Vista clients (Certenroll). These files also support certificate Web enrollment from Windows XP clients and from Server 2003 clients (Xenroll). To install these pages, download the hotfix and then follow the instructions that are provided later in this article. For more information, visit the following Microsoft TechNet Web site:

Certificate Services is available on computers that are running the following operating systems:

• Microsoft Windows Server 2003, Standard Edition
• Microsoft Windows Server 2003, Enterprise Edition
• Microsoft Windows Server 2003, Datacenter Edition
• Microsoft Windows Server Code Name "Longhorn"

Certificate Services provides customizable services to issue and to manage certificates for use with software security systems that use public key technology. Windows Certificate Services includes a set of certification authority (CA) Web pages. These Web pages provide a simple user interface to perform many of the common user tasks in the certification authority. These Web enrollment pages let you use a Web browser to connect to the certification authority. You can use the Web browser to perform common tasks, such as requesting a certificate, requesting the certification authority certificate, submitting a certificate request by using a PKCS #10 file, and so on.

Certificate enrollment Web pages are especially helpful in a scenario where the client computer cannot connect to the certification authority directly. You may experience this scenario in an environment where the client computer is not a member of the domain or where the certification authority is located in a different Active Directory directory service forest.

The certificate enrollment Web pages are included as an optional component in the original release version of Windows Server 2003, in Windows Server 2003 Service Pack 1 (SP1), and in Windows Server 2003 Service Pack 2 (SP2). These Web pages include a script that is based on the Xenroll ActiveX control. When you visit the certificate enrollment Web site, the client computer automatically downloads and installs the correct version of Xenroll if the correct version of Xenroll is not already installed.

Windows Vista does not use Xenroll. Instead, Windows Vista uses a set of dual interface Component Object Model (COM) objects. This set of COM objects is known as CertEnroll. Xenroll is disabled in Windows Vista. Therefore, if you try to manually install Xenroll, the installation is unsuccessful.

Windows Server "Longhorn" includes updated sample Web pages for Web-based certificate enrollment operations. These Web pages are updated to work together with the CertEnroll component in Windows Vista. Additionally, these Web pages work together with Xenroll.

Windows Server "Longhorn" certificate enrollment Web pages

Windows Server Code Name "Longhorn" includes updated sample Web pages for Web-based certificate enrollment operations. These Web pages are updated to work together with the CertEnroll component in Windows Vista. Additionally, these Web pages work together with Xenroll.

The certificate enrollment Web pages in Windows Server "Longhorn" are designed to detect the client operating system and to then use the appropriate control. If the client computer is running Windows Server 2003 or Microsoft Windows XP, the certificate enrollment Web pages use Xenroll. If the client computer is running Windows Vista or Windows Server "Longhorn," the certificate enrollment Web pages use CertEnroll.

Note The Windows Vista certificate enrollment client component has been enhanced over that of earlier versions of Windows. Some of the functionality that was formerly accessed by using Web pages is now included in the client component. Therefore, this functionality has been removed from the updated certificate enrollment Web pages. Functionality that has been removed includes the following:

• The Enroll on Behalf of operation
  

An enrollment agent uses this feature to enroll for a certificate on behalf of another user.

• Computer certificate enrollment
  

Administrative rights are required to request a computer certificate. In Windows Vista, Microsoft Internet Explorer does not use administrative rights to run. Therefore, the option to store a computer certificate in the computer store was removed from the Windows Server "Longhorn" certificate enrollment pages.

• The Xenroll .cab file
  

If a client computer has an earlier version of Xenroll installed, the client is not prompted to upgrade to the latest version of Xenroll.

• The whole range of locales for the Web pages
  

Certain localized versions of the certificate enrollment Web pages may not be available until Windows Server "Longhorn" is released.

Windows Server 2003 and Windows Server 2003 SP1 certificate enrollment Web pages

Windows Server 2003 and Windows Server 2003 SP1 certificate enrollment Web pages do not contain code to detect the certificate enrollment changes in Windows Vista. Therefore, these Web pages always try to use Xenroll. Therefore, when you try to perform a Web-based certificate enrollment operation from Windows Vista, the certificate enrollment operation is unsuccessful.

In this scenario, you receive the following message in the Web browser window:

Windows Server 2003 SP2 certificate enrollment Web pages

Windows Server 2003 SP2 certificate enrollment Web pages have been updated to detect the certificate enrollment changes in Windows Vista. However, because of the different release dates for Windows Server 2003 SP2, for Windows Vista, and for Windows Server "Longhorn," Windows Server 2003 SP2 certificate enrollment Web pages do not recognize the CertEnroll interfaces. Therefore, if you visit the certificate enrollment Web site by using a computer that is running Windows Vista, you receive a message that states that the Web pages must be updated.

Interoperability table

The following table illustrates the interoperability between the various versions of the certificate enrollment Web pages and the various Windows-based client computers.

To enable Windows Server 2003, Windows Server 2003 SP1, and Windows Server 2003 SP2 certificate enrollment Web pages that support Windows Vista-based client computers, you must update the certificate enrollment Web pages. You can use the Windows Server "Longhorn" Beta 3 Web pages or a later version to update the Windows Server 2003-based Web pages. You must consider the following limitations when you install the certificate enrollment Web pages from Windows Server "Longhorn."

• The Windows Server 2003-based Web pages cannot be located on the same Web server as the Windows Server "Longhorn" Web pages.
• If you must have both sets of Web pages, we recommend that you install the Windows Server "Longhorn" Web pages on the computer where the certification authority is installed. In this situation, install the Windows Server 2003-based Web pages on a Web proxy computer. For more information about how to do this, visit the following Microsoft Web site:

  http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

To install the Windows Server "Longhorn" certificate enrollment Web pages, follow these steps:

1. On the computer where the certification authority is installed, install the Windows Server 2003-based certificate enrollment Web pages.
2. Remove all files and folders except for the following from the %systemroot%\System32\Certsrv folder:
   • The Certdat.inc file
   • The Certenroll folder

   Important We recommend that you back up all the files in the Certsrv folder before you remove them.
   
   

   Note You must restart the server in safe mode to remove the CertControl directory. After you remove the CertControl directory, restart the server in normal mode, and then go to step 3.
3. Copy the contents of the CertSrv\EN-US folder that is on the computer that is running Windows Server "Longhorn" to the %systemroot%\System32\Certsrv folder on the computer that is running Windows Server 2003.
   
   Note Do not replace the Windows Server 2003-based Certdat.inc file with the Windows Server "Longhorn" version of this file. By default, the Windows Server "Longhorn" Certdat.inc file is not located in the EN-US folder.
4. On the computer that is running Windows Server 2003, open the Certdat.inc file by using a text editor such as Notepad.

5. Remove the following four entries from the end of this file.

               ' control versions
               sXEnrollVersion="5,131,3686,0"
               sScrdEnrlVersion="5,131,3790,1206"
               sScrdW2KVersion="5,131,2195,5583"

   The modified file resembles the following.

   <%' CODEPAGE=65001 'UTF-8%>
   <%' certdat.inc - (CERT)srv web - global (DAT)a
     ' Copyright (C) Microsoft Corporation, 1998 - 1999 %>
   <%
               ' default values for the certificate request
               sDefaultCompany=""
               sDefaultOrgUnit=""
               sDefaultLocality=""
               sDefaultState=""
               sDefaultCountry=""
               
               ' global state
               sServerType="Enterprise" 'vs StandAlone
               sServerConfig="machinename.domainname.com\test"
               sServerDisplayName="test"
               nPendingTimeoutDays=10
   %>

   Save the changes to the file, and then exit Notepad.

6. Open each file in the Certsrv folder, and then locate the following entry.

   <!-- #include FILE="..\certdat.inc"-->

   Replace this entry with the following entry.

   <!-- #include FILE="certdat.inc"-->

   Note Make sure that you open and check all the files, and that you do not open and check only the ASP pages. In particular, you must open and check the following files:

   • Certcrl.crl
   • Certnew.p7b
   • Certnew.cer
7. On a computer that is running Windows Server 2003, open the Certsgcl.inc file by using a text editor such as Notepad. Make the following change in the WriteTemplateList() and IsUserTemplateAvailable() functions.
   
   Locate the following LH WebEnrlServer object line:

   Set WebEnrlServer=Server.CreateObject("WebEnrlServer.WebEnrlServer.1")

   Replace this entry with the following entry to use the Windows Server 2003 SP1 Scrdenrl.dll object:

   Set WebEnrlServer=Server.CreateObject("SCrdEnr.SCrdEnr.1")

8. Modify the certificate enrollment Web site to require Secure Sockets Layer (SSL).
   
   Note For a Windows Vista-based client computer or for a Windows Server "Longhorn"-based client computer to use Windows Server "Longhorn" certificate enrollment Web pages, the Web site must use the HTTPS transport. Therefore, you must modify the certificate enrollment Web site to require SSL.