Certificate Enrollment Web Service Overview

Applies To: Windows Server 2008 R2

The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.


For updated information on this topic see the TechNet Wiki article titled Certificate Enrollment Web Services in Active Directory Certificate Services

The Certificate Enrollment Web Service uses the HTTPS protocol to accept certificate requests from and return issued certificates to network client computers. The Certificate Enrollment Web Service uses the DCOM protocol to connect to the certification authority (CA) and complete certificate enrollment on behalf of the requester. In previous versions of AD CS, policy-based certificate enrollment can be completed only by domain member client computers that are using the DCOM protocol. This limits certificate issuance to the trust boundaries established by Active Directory domains and forests.

Certificate enrollment over HTTPS enables the following new deployment scenarios:

  • Certificate enrollment across forest boundaries to reduce the number of CAs in an enterprise.

  • Extranet deployment to issue certificates to mobile workers and business partners.

Additional references