Menu
InformatiWeb Pro
  • Index
  • System admin
  • Virtualization

Login

Registration Password lost ?
FR
  • Windows Server
    • WMS 2012
    • WS2012 R2
    • WS2016
  • Citrix
    • Citrix NetScaler Gateway
    • Citrix XenApp / XenDesktop
    • Citrix XenServer
  • VMware
    • VMware ESXi
    • VMware vSphere
    • VMware Workstation
  • Microsoft
    • Hyper-V
  • RAID
    • Adaptec SmartRAID
  • UPS
    • APC Back-UPS Pro
  • InformatiWeb Pro
  • System admin
  • Windows Server
  • Courses
  • Learn how to use Active Directory Certificate Services (AD CS) on WS 2016
  • Install and configure CEP and CES servers
7 / 21
  • Securing an IIS web server
  • Install and configure an NDES server (SCEP)
  • Windows Server
  • 24 November 2023 at 12:09 UTC
  • InformatiWeb
  • 1/3

Install and configure CEP and CES servers for certificate requests from a workgroup on Windows Server 2016

When you are on a server or a computer inside your company, requests for certificates are possible by communicating with a domain controller (via the LDAP protocol) and with the desired certificate authority via RPC / DCOM.
However, if your computer is not linked to your Active Directory domain (and is therefore in a workgroup) and/or is currently outside your company, it will not have the possibility of requesting a certificate using the usual method.

To solve these problems, you have the option of installing CEP and CES servers to allow these clients to request a certificate from your company's CA using only the HTTPS protocol.
This simplifies things when the client is outside the company and therefore can't use the usual protocols : LDAP and RCP / DCOM.

  1. Create certificate template for CEP/CES server
  2. Create a user certificate template
  3. Install CEP and CES services
  4. Request a certificate for the CEP/CES server
  5. Configure the CEP/CES server
  6. Export CA certificate
  7. Import your CA certificate on the client PC
  8. Configure client PC to use CEP/CES
  9. Request a certificate via the CEP / CES server

1. Create certificate template for CEP/CES server

Since the CEP / CES servers will only use the HTTPS protocol, you will need an SSL certificate to secure these.
To do this, on your certification authority, right-click "Manage" on "Certificate Templates".

Next, duplicate the "Web Server" certificate template.

Provide "Web Server v2" as template name (for example).

In the "Request Handling" tab, check the "Allow private key to be exported" box.

In the "Security" tab, click on : Add.

In the selection window that appears, click on : Object Types.

Check the "Computers" box.

Enter the name of your CEP/CES server and click OK.

Grant at least the "Enroll" right to this server so that it can request its certificate later.
Click OK.

Now that the new certificate template is created, don't forget to add it to the list of certificate templates to be issued.

Select the certificate template you just created (in our case : Web Server v2) and click OK.

The new certificate template to be issued appears in the list.

2. Create a user certificate template

For the example, we will issue a certificate to a user from a client computer running Windows 10 that is not part of our Active Directory domain.
However, the certificate template used here is an example and you could use any other certificate template.

On your CA, right-click "Manage" on "Certificate Templates" again.

Duplicate the user certificate template.

Indicate "User v2" as template name (for example).

For example, grant the "Enroll" right to authenticated users.

Warning : if the e-mail address of your users is not entered in their user accounts, you will have to uncheck the boxes concerning the e-mail service.

To do this, in the "Subject Name" tab, uncheck the boxes :

  • Include e-mail name in subject name
  • E-mail name

Click OK.

The newly created certificate template appears.

Again, right-click "New -> Certificate Template to Issue" on "Certificate Templates".

Select the newly created certificate template and click OK.

3. Install CEP and CES services

On your future CEP/CES server, install Active Directory Certificate Services.

Select only these role services :

  • Certificate Enrollment Web Service (CES)
  • Certificate Enrollment Policy Web Service (CEP)

Since CEP/CES allows clients to obtain certificates (even from outside your company) using only the HTTPS protocol, the IIS web server will obviously be automatically installed on this server.

Click Install.

Wait while Certificate Enrollment Web Services installs.

After the installation is complete, leave the Add Roles and Features Wizard open.

Next page

Share this tutorial

Partager
Tweet

To see also

  • SafeNet Authentication Client (SAC) - Installation and overview

    Articles 1/26/2024

    SafeNet Authentication Client (SAC) - Installation and overview

  • What is encryption and how does it work ?

    Articles 9/8/2023

    What is encryption and how does it work ?

  • WS 2016 - AD CS - Backup and restore a certificate authority (CA)

    Windows Server 12/29/2023

    WS 2016 - AD CS - Backup and restore a certificate authority (CA)

  • WS 2016 - AD CS - Buy smart cards and log in via them

    Windows Server 1/19/2024

    WS 2016 - AD CS - Buy smart cards and log in via them

Comments

You must be logged in to post a comment

Share your opinion

Pinned content

  • Software (System admin)
  • Linux softwares
  • Our programs
  • Terms and conditions
  • Share your opinion

Contact

  • Guest book
  • Technical support
  • Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.