Enabling Secure Sockets Layer (SSL) for Certificate Authority Web Enrollment (CAWE).

In the default configuration, Certificate Authority Web Enrollment (CAWE) accepts only unencrypted connections via HTTP. It is recommended that the CAWE be configured for HTTP over TLS (HTTPS) to make network traffic interception more difficult. Instructions are provided below.

The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.

Apply for an SSL certificate

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

First, a web server certificate must be requested for the CAWE server.

Binding the certificate to the CAWE server

After an SSL certificate has been requested for the CAWE server, it must now be bound to the web server. To do this, the Internet Information Services (IIS) Manager is called up via the administration tools.

The CAWE is installed in the default web site of the web server. Accordingly, the bindings must be edited here.

If there is no SSL binding yet, a new one must be created.

The Default Web Site should answer all requests not defined otherwise, so the default setting regarding IP addresses and hostnames can be kept. Only the SSL certificate must be selected.

Enforce SSL usage

Now the web server supports requests via HTTPS, but for the CAWE these are not enforced, i.e. requests can still be submitted via HTTP. If you want to enforce SSL specifically for the CAWE, go to the default web site and click the folder "CertSrv" on the left side.

After double-clicking on the folder, select the "SSL Settings".

Here you activate the "Require SSL" checkbox.

Then click on "Apply" on the right-hand side.

CAWE should now refuse to accept connections over HTTP without TLS.

Related links:

en_USEnglish