Install and configure CEP and CES servers for certificate requests from a workgroup on Windows Server 2016 - Windows Server - Tutorials

When you are on a server or a computer inside your company, requests for certificates are possible by communicating with a domain controller (via the LDAP protocol) and with the desired certificate authority via RPC / DCOM.
However, if your computer is not linked to your Active Directory domain (and is therefore in a workgroup) and/or is currently outside your company, it will not have the possibility of requesting a certificate using the usual method.

To solve these problems, you have the option of installing CEP and CES servers to allow these clients to request a certificate from your company's CA using only the HTTPS protocol.
This simplifies things when the client is outside the company and therefore can't use the usual protocols : LDAP and RCP / DCOM.

1. Create certificate template for CEP/CES server

Since the CEP / CES servers will only use the HTTPS protocol, you will need an SSL certificate to secure these.
To do this, on your certification authority, right-click "Manage" on "Certificate Templates".

Next, duplicate the "Web Server" certificate template.

Provide "Web Server v2" as template name (for example).

In the "Request Handling" tab, check the "Allow private key to be exported" box.

In the "Security" tab, click on : Add.

In the selection window that appears, click on : Object Types.

Check the "Computers" box.

Enter the name of your CEP/CES server and click OK.

Grant at least the "Enroll" right to this server so that it can request its certificate later.
Click OK.

Now that the new certificate template is created, don't forget to add it to the list of certificate templates to be issued.

Select the certificate template you just created (in our case : Web Server v2) and click OK.

The new certificate template to be issued appears in the list.

2. Create a user certificate template

For the example, we will issue a certificate to a user from a client computer running Windows 10 that is not part of our Active Directory domain.
However, the certificate template used here is an example and you could use any other certificate template.

On your CA, right-click "Manage" on "Certificate Templates" again.

Duplicate the user certificate template.

Indicate "User v2" as template name (for example).

For example, grant the "Enroll" right to authenticated users.

Warning : if the e-mail address of your users is not entered in their user accounts, you will have to uncheck the boxes concerning the e-mail service.

To do this, in the "Subject Name" tab, uncheck the boxes :

Include e-mail name in subject name
E-mail name

Click OK.

The newly created certificate template appears.

Again, right-click "New -> Certificate Template to Issue" on "Certificate Templates".

Select the newly created certificate template and click OK.

3. Install CEP and CES services

On your future CEP/CES server, install Active Directory Certificate Services.

Select only these role services :

Certificate Enrollment Web Service (CES)
Certificate Enrollment Policy Web Service (CEP)

Since CEP/CES allows clients to obtain certificates (even from outside your company) using only the HTTPS protocol, the IIS web server will obviously be automatically installed on this server.

Click Install.

Wait while Certificate Enrollment Web Services installs.

After the installation is complete, leave the Add Roles and Features Wizard open.