Configure the Certificate Enrollment Policy Web Service (CEP) to work with a domain account.

The following describes how to set up a Certificate Enrollment Policy Web Service (CEP) that the service runs under a domain account.

Continue reading „Den Certificate Enrollment Policy Web Service (CEP) für den Betrieb mit einem Domänenkonto konfigurieren“

Configure the Certificate Enrollment Policy Web Service (CEP) to work with a Group Managed Service Account (gMSA).

For security reasons, it may make sense to operate the CEP with a Group Managed Service Account (gMSA) instead of a normal domain account. This option offers the charming advantage that the password of the account is changed automatically, and thus this step does not have to be done manually, which is unfortunately forgotten far too often.

Continue reading „Den Certificate Enrollment Policy Web Service (CEP) für den Betrieb mit einem Group Managed Service Account (gMSA) konfigurieren“

View and clear the certificate enrollment policy cache for the Certificate Enrollment Policy Web Service (CEP).

After a certificate enrollment policy is configured and used by a subscriber, the results are cached locally (Enrollment Policy Cache).

If changes are now made to the infrastructure, for example by publishing or removing a new certificate template on a certification authority accessible via Certificate Enrollment Web Service (CES), these changes are not immediately visible to subscribers due to the cache.

For this reason, it may be helpful to view or clear the cache.

Continue reading „Den Zwischenspeicher für Zertifikatregistrierungsrichtlinien (Enrollment Policy Cache) für den Certificate Enrollment Policy Web Service (CEP) einsehen und löschen“

Deleting a Manually Configured Certificate Request Policy (Enrollment Policy)

When working with Certificate Enrollment Web Services and manually entering certificate enrollment policies on client computers, one encounters the phenomenon that there is no way to edit or delete them in the Certificate Management Console.

Continue reading „Löschen einer manuell konfigurierten Zertifikatbeantragungs-Richtlinie (Enrollment Policy)“

The creation of a certificate enrollment policy for the Certificate Enrollment Policy Web Service (CEP) fails with the error message "This ID conflicts with an existing ID."

Assume the following scenario:

  • A Certificate Enrollment Policy Web Service (CEP) is implemented in the network.
  • An enrollment policy is configured.
  • Testing the connection fails with the following error message:
The URI entered above has ID: "{{GUID}}". This ID conflicts with an existing ID.
Continue reading „Die Erstellung einer Zertifikatregistrierungsrichtlinie (Enrollment Policy) für den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit der Fehlermeldung „This ID conflicts with an existing ID.”“

Certificate request basics via Certificate Enrollment Web Services (CEP, CES)

With Windows Server 2008 R2 and Windows 7, a new functionality for certificate enrollment has been introduced: The Certificate Enrollment Web Services, which are mapped by two server roles:

  • Certificate Enrollment Policy Web Service (CEP)
  • Certificate Enrollment Web Services (CES)

The following is a description of the background to these roles, how they work, and the possible deployment scenarios.

Continue reading „Grundlagen Zertifikatbeantragung über Certificate Enrollment Web Services (CEP, CES)“

Certificate Enrollment Policy creation for Certificate Enrollment Policy Web Service (CEP) fails with error code "WS_E_INVALID_FORMAT".

Assume the following scenario:

  • A Certificate Enrollment Policy Web Service (CEP) is implemented in the network.
  • An enrollment policy is configured.
  • Testing the connection fails with the following error message:
Error: The input data was not in the expected format or did not have the expected value. 0x803d0000 (-2143485952 WS_E_INVALID_FORMAT)
Continue reading „Die Erstellung einer Zertifikatregistrierungsrichtlinie (Enrollment Policy) für den Certificate Enrollment Policy Web Service (CEP) schlägt fehl mit dem Fehlercode „WS_E_INVALID_FORMAT““

Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: The remote endpoint is unable to process the request due to being overloaded. 0x803d0012 (-2143485934 WS_E_ENDPOINT_TOO_BUSY)".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • The connection to the CEP fails and the user receives the following error message:
Error: The remote endpoint is unable to process the request due to being overloaded. 0x803d0012 (-2143485934 WS_E_ENDPOINT_TOO_BUSY)
Continue reading „Die Beantragung eines Zertifikats über die Certificate Enrollment Web Services schlägt fehl mit Fehlermeldung „Error: The remote endpoint is unable to process the request due to being overloaded. 0x803d0012 (-2143485934 WS_E_ENDPOINT_TOO_BUSY)““

Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • Authentication is done via Kerberos.
  • The application for the certificate is made by the CEP server itself.
  • The connection to the CEP fails and the user receives the following error message:
Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)
Continue reading „Die Beantragung eines Zertifikats über die Certificate Enrollment Web Services schlägt fehl mit Fehlermeldung „Error: A message containing a fault was received from the remote endpoint. 0x803d0013 (-2143485933 WS_E_ENDPOINT_FAULT_RECEIVED)““

Requesting certificates via Certificate Enrollment Web Services fails with error message "Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)".

Assume the following scenario:

  • A user requests a certificate.
  • An enrollment policy is configured for this, which points to a Certificate Enrollment Policy Web Service (CEP).
  • The connection to the CEP fails and the user receives the following error message:
Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
Continue reading „Die Beantragung eines Zertifikats über die Certificate Enrollment Web Services schlägt fehl mit Fehlermeldung „Error: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)““
en_USEnglish