Share via

How do I submit pre-generated certificate requests (csr) to Windows CA if Web Enrollment is disabled?

Anonymous
2023-12-20T05:55:57+00:00

I'm trying to move away from Cryptographic Storage Provider and over to Key Storage Provider in my PKI, but I have an issue.

When I configure my templates to use KSP, their schema version is updated to 3 (or higher depending on other options) and as a result no longer display via the web enrollment website. This is supposedly by design.

https://learn.microsoft.com/en-US/troubleshoot/windows-server/identity/cng-templates-not-appear-certificate-web-enrollment

Also, not to mention, many security advisors are recommending doing away with web enrollment anyway for security reasons.

With that said, I have many users (Windows, Macs, Linux) both on and off the domain who currently generate their own requests via their tool of choice and simply submit them via web enrollment via advanced request and pasting the CSR directly in. Their certs are auto approved. No one uses the standard Microsoft methods as they are very kludgy, especially when adding extensions such as SANs. I use DigicertUtil.exe and recommend it to everyone I talk to.

How will users continue to submit their CSRs themselves without the web enrollment page? Is there another way for them to submit custom CSRs directly to a Windows CA?

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-12-20T07:06:05+00:00

    Hello Matthew McDonald (EWS),

    Thank you for posting in Micrsoft Community forum.

    How will users continue to submit their CSRs themselves without the web enrollment page? Is there another way for them to submit custom CSRs directly to a Windows CA?
    A: I do not know any other method except the suggestion in the link you provided.
    An alternative, which shouldn't be attempted in production for customers without extensive testing in a test environment, is available that will allow the version 3 templates to appear in the web enrollment default pages. The reason it's not recommended is that the web enrollment pages, again, may not contain the code necessary for the certificate to populate all needed data, and so the result may be a problematic certificate. Make sure to keep that in mind when considering doing the steps below. This option is to alter the msPKI-Template-Schema-Version from 3 to 2.
    You can use other methods like:

    Autoenroll via GPO

    the certificates MMC snap-in

    or certreq command
    certreq | Microsoft Learn

    I hope the information above is helpful.

    If you have any questions or concerns, please don't hesitate to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2023-12-20T15:37:19+00:00

    That is unfortunate. None of those work for my Linux/Mac folk. What is MS thinking? This is just dumb. I guess I need to look into alternate PKI solutions.

    3 people found this answer helpful.
    0 comments
  3. Anonymous
    2023-12-21T02:37:59+00:00

    Hello Matthew McDonald (EWS),

    Good day!

    I am sorry for the convenience.

    Currently, there are the methods I mentioned above.
    2008 Web Enrollment and Version 3 Templates - Microsoft Community Hub

    Here is a similar thread.

    [e667-6eea-4e7-bef4] (microsoft.com)

    Best Regards,
    Daisy Zhou

    0 comments