As there does not appear to be a dedicated Certificate Services forum, I will have to ask here; We need to be able to generate and distribute client certificates to around 100 customers, as they will use it for client authentication when they connect to our systems over the Internet for B2B transactions. We will give each of these 100 customers an account in our AD. The certificates will be used in FTP and BizTalk communication. We have an internal 2008 R2 Enterprise Root CA, and I have created a subordinate CA for the only purpose of generating client certificates. Unfortunately the 2008R2 web server has a little problem in that the default page is not displayed and so I have to go directly to https://servername/certsrv/en-us/default.asp - this gives me the certificate request pages. I tried reinstalling multiple times, but the default document error is not a problem as only administrators will be going to this site. The site works, and when a client certificate is requested and issued, it is reflected in the AD account for the user, and is installed into IE. But, I need to be able to request certificates for these external customers, and then export the certificate (and securely transmit these certificates to the customers). The bit we are having problems with, is how do we generate client certificates for user accounts, without having to log in as that user? Our security is set up to prevent these accounts from logging in to our systems, but we still need to generate the certificates for them, and then export the certificates. How can we request certificates for a user, without being that user and logging on to the page https://servername/certsrv/en-us/default.asp from a machine logged in as that user? This may be just a matter of configuring IIS correctly to prompt for a username and password, but it's not working as expected. Any ideas?

Enroll On Behalf Of functionality is removed from Web Enrollment pages and moved to Certificates MMC snap-in: http://technet.microsoft.com/en-us/library/cc770802.aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

I found the solution for my web server not loading the page when I visit https://servername/certsrv and this has been fixed http://www.networksteve.com/forum/topic.php?TopicId=2971 It was because I created a subordinate authority and the website was not correctly created. I needed to go into basic settings for CertSrv and add in EN-US to the physical path.

Hi, Thank you for the feedback on how you were successful in resolving this issue. This solution will benefit many other users who access this forum. If you have more questions in the future, you’re welcomed to this forum. Have a nice day! Regards, Bruce

If you liked that, how about the whole solution; Step 1 – create your own “Enrolment Agent Certificate” (details from http://support.microsoft.com/kb/257480) 1. Log on to the domain and open the Certificates snap-in within MMC, in the context of “My User Account” 2. Open the Personal folder, right-click in the right-hand pane, and then click All Tasks. 3. Click Request New Certificate. 4. Complete the Certificate Request Wizard and request an enrollment agent certificate. This creates a certificate which permits you to progress to the next stage Step 2a – request certificates on behalf of another user (details from http://technet.microsoft.com/en-us/library/cc770802.aspx) To enroll for a certificate on behalf of other users 1. Open the Certificates snap-in for the above selected user. 2. In the console tree, expand the Personal store, and then click Certificates. 3. On the Action menu, point to All Tasks, point to Advanced Operations, and then click Enroll on behalf of to open the Certificate Enrolment wizard. Click Next. 4. Browse to the Enrolment Agent certificate that you will use to sign the certificate request that you are processing. Click Next. Step 2b – continued 5. Select the “User” type of certificate and press “details” then “properties” 6. On the “Certification Authority” tab, select only the Certification Authority that you want 7. Select the user for whom you want to create the certificate for (ensure to select the location as your domain) Step 3 – export the certificate 8. When the certificate has been successfully exported, choose “Details” then press “View Certificate” 9. On the “Details” tab, press “Copy to file”. Then select “Yes, export the private key”. Note that this is the ONLY stage where you can export the private key, failing to export it at this stage will require that the whole certificate is revoked and re-issued. 10. Select to “Include all certificates in the certification path if possible” and “Delete the private key if the export is successful” and “Export all extended properties” 11. Enter a password for this certificate export – password complexity is not constrained but is recommended. 12. Save to a file. 13. Proceed to next user. Step 4 – verify Active Directory status of user certificate 1. Open Active Directory Users and Computers 2. Locate the user 3. View the “Published Certificates” tab, and verify that a certificate is listed, with the “Intended Purposes” including “Client Authentication” If this has been helpful, please press "Mark as Answer"