Requesting certificates via Certificate Enrollment Policy Web Service (CEP) fails with error message "ERROR_WINHTTP_CONNECTION_ERROR".

Assume the following scenario:

  • You try to request a certificate via a Certificate Enrollment Policy Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • The operation fails with the following error message:
Error: The server connection was terminated due to an error. 0x80072efe (WinHttp:12030) ERROR_WINHTTP_CONNECTION_ERROR

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.

If you call the CEP address with a browser, you get an error message that no matching SSL cipher suites could be determined.

Possible causes

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

In this case, a hardware load balancer was connected upstream of the CEP, on which there was apparently a configuration problem. The problem was solved by creating a new configuration on the hardware load balancer.

A packet analysis with WireShark showed that the load balancer on the SSL client Hello kept sending back an RST message. The client reduced the cipher suites until all of them failed, which also explains the message when called with the browser.

Related links:


en_USEnglish