We using a Windows Server 2008 R2 Enterprise CA to issuing webserver-certificates (SSL). The CA-Server is a member of a AD-Domain and online. Now we want to request certificates from computers like Windows Server 2008 R2 or Linux Server which aren't member of the domain.

How we can request certificates automatically with a script remote from these Windows Servers, for example ? Is it possible to use  the "Certificate Enrollment Web Service" without the "Certificate Enrollment Policy Web Service" ?

Is it possible to use certreq in this scenario ?

Thanks for your help.

• Edited by Ewoki Tuesday, September 27, 2011 3:49 PM

you can use certreq.exe tool. I think you can use this guide with some edits:

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/098f858a-3e89-48d2-828e-274487033f6b

in the INF file change line as follows:

Exportable = True

this allows you to export certificate to a pkcs12 file and import it to target boxes.

BTW, you cannot use Enrollment Web Service without Policy Service, because a response from CEP is used by CES to obtain all required information and perform enrol

Thanks for your reply. The link is the URL of this thread :-(... The problem is, that we don't have a inf-File. The request file will be generated by the "hardware" (HP-ILO-Webserver), which is running on a internal chipset on the motherboard.

Therefore we need a solution to submit a precreated requestfile.

if you have request files you can automate certificate submission by scripting certreq.exe tool. Here is a simple example:

certreq -submit -attrib "certificatetemplate:TemplateCommonName" input.csr output.cer

 

If I try this commandline I get a RPC-error. The firewall on the CA-Server is deactivated. The CA-Server and the requesting server are not in the same forest/Domain. To add username and Passwort doesn't solve the problem.

What could be the problem?

• Edited by Ewoki Tuesday, September 27, 2011 8:01 PM

you need to move all requests to a domain computer, because you need to be properly authenticated.

Now I have found a solution. Shortly I want describe the way:

Prerequirements:
1. ADCS Enterprise Certification Authority is installed
2. ADCS Certificate Enrollment Web Service is installed on a server
3. ADCS Certificate Enrollment Policy Web Service is installed on an other server

Steps to do:
1. Prepare a request-file for a certificate

2. On a computer which is not a member of the Domain/Forest of the CA-Service: submit the request to the CA and receive the issued certificate. The following command have to written in one line without line breaks.

  certreq -submit
    -Username {domain}\{username}
    -p {password}
    -PolicyServer "https://{FQDN CertificateEnrollmentPolicyWebService-Server/-Alias}/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
    -config "https://{FQDN CertificateEnrollentWebService-Server/-Alias}/{CAName}_CES_UsernamePassword/service.svc/CES"
    -attrib "CertificateTemplate:{TemplateName}"
    {Enter Path and Name of the Request-File}
    {Choose Path and Filename for certificate}

   Sample:
   certreq -submit
        -Username contoso\Serviceaccount
        -p P@ssw0rd
        -PolicyServer "https://CAPolicyEnroll.contoso.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP"
        -config "https://CAWebEnroll.contoso.com/IssuingCA1_CES_UsernamePassword/service.svc/CES"
        -attrib "CertificateTemplate:MyOwnSSLTemplate"
        request.req
        sslcert.cer

3. Now you can find a file with your requested certificate locally in path you have choosen for the certificate-file.

I hope this will be helpful for other people enrolling certificates on non-domain member computers.

• Marked as answer by Ewoki Wednesday, September 28, 2011 9:22 AM

Hi,

 

Thanks for your feedback. This solution will benefit others who come to this forum.

 

Have a nice day!

Hi all,

Is there any sample of code that can be used with CA Policy and Web Services instead of using "certreq" utility?

Thanks,

Ratko

• Edited by Stibra Monday, February 18, 2013 7:16 PM

-config "https://CAWebEnroll.contoso.com/IssuingCA1_CES_UsernamePassword/service.svc/CES"

This is weird, where exactly did this guy derive this URL from? Usually you have something like https://servername.domain.com/certsrv (which doesn't work).

Anyone else had any success with remote certificate request using certreq?

Interestingly, this is exactly what I was looking to do. I do have CES/CEP installed (just happened to be on the intermediary domain joined CA as well), but this was installed in "Windows Integrated Authentication" mode specifically for issuing domain joined machine.

Now I want to issue a certificate to a non-domain joined machine (only a few) - I "think" the only way to set up CEP/CES using both 'Windows Integrated' AND 'Username/Password' authentication is via a PowerShell commandlet.

I too have issue connecting to the "normal" CertSrv website, but I do know that the URL outlined is to do with CEP and the authentication method used - in this case Username and Password.

I'm not sure why the actual CertSrv site in not functioning or if this is a side effect of installing CEP/CES, It seem a lot to re-configure currently installed CEP/CES to issue just a few certs, but if that's what it take, I'll have to look into it.

This page might be of u

In fact, I think the URL show above refers to a CES running on the Windows 2008 machine (as this was posted back in 2011). The URL on the Windows 2012r2 is still convoluted, but not as convoluted as that mentioned.

However, I have just checked my CertSrv site again and it is working - not sure what happened here. So, for me (as there are only a few certs that need to be issued, the simple thing is to create a request manually, then past the Base64 text into the CertSrv request handling page, then take the produced certificate and import it back to the non domain server.

https://technet.microsoft.com/en-us/library/ff625722%28v=ws.10%29.aspx#BKMK_CertEnroll
(using 'certreq' as suggested in the above article didn't work for me.)