After installing and configuring Certificate Authority Web Enrollment (CAWE), it is essential to test the component extensively before releasing it to users. Below are instructions for a detailed functional test.
The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.
Overview
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
The functional tests consist of the following steps
- Call the page
- Registration on the site
- Submitting a certificate request - with Kerberos authentication
- Submitting a certificate request - without Kerberos authentication
Details: Call the page
First, it should be checked whether the address of the CAWE can be accessed at all. Possible problems here could be:
- Name resolution
- Connection problems, for example due to the firewall configuration
- Web server configuration, for example, the correct setup of SSL
If problems already occur here, the following articles may be helpful:
- Requesting certificates via the Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 403 "Forbidden: Access is denied."
- Required firewall rules for Certification Authority Web Enrollment (CAWE)
- Enabling Secure Sockets Layer (SSL) for Certificate Authority Web Enrollment (CAWE).
Details: Registration on the side
The test should first be performed with Internet Explorer and no other browser.
https://{alias-or-servername>/certsrv
If you are prompted for authentication the first time you visit the page, Kerberos authentication does not take place. Usually this is because the address of the CAWE server has not been included in the "Local Intranet" zone in the browser's security settings.
To do this, open the menu with the gear icon on the right and select "Internet options".
In the "Security" tab, click on "Sites".
In the following dialog click on "Advanced".
In the following dialog the address of the CAWE server is entered. The exact address as entered in the address bar must be entered here. Please also remember the "https" prefix.
After that, you should be able to access CAWE without an authentication mask.
Details: Submitting a certificate request - with Kerberos authentication
You won't find out if Kerberos delegation works until you send a certificate request to the certificate authority via CAWE.
This must first be prepared independently of these instructions and must be available as a text file. In addition, the configured certification authority must offer a corresponding certificate template (see article "Generating a RFC 2818 compliant certificate request for SSL certificates"), and the user must have the "Enroll" right on the certificate request.
The content of the certificate request is copied to the clipboard.
In the CAWE, "Request a certificate" is selected.
In the following dialog, the second option "Submit a certificate request..." is selected.
In the following dialog, the content of the certificate request copied to the clipboard is pasted into the Saved Request field.
The desired certificate template is selected in the "Certificate Template" area.
Subsequently, "Submit" is clicked.
If the desired certificate template is not displayed here, the following article may be helpful:
Subsequently, a dialog should be displayed informing the user that the website is performing a certificate operation with the user's identity.
Once you have confirmed the dialog with "Yes", the issued certificate should now be offered for download.
If an error message is displayed instead, or the application takes a very long time, the following articles may be helpful in troubleshooting:
- Requesting certificates via the Certification Authority Web Enrollment (CAWE) takes a very long time
- Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with HTTP error code 500 "Internal Server error".
- Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "ERROR_ACCESS_DENIED".
- Requesting certificates via Certificate Authority Web Enrollment (CAWE) fails with error code "RPC_S_SERVER_UNAVAILABLE".
Details: Submitting a certificate request - without Kerberos authentication
If the tests were successful up to this point, the tests should be repeated without Kerberos authentication and with other browsers and operating systems, for example:
- Internet Explorer, without entry of the CAWE page in the "Local Intranet" zone
- Edge
- Mozilla Firefox
- Google Chrome
Each of these combinations should be successfully tested.
If errors occur, the following articles may be helpful: