How to access the new Certificate Enrollment Web Services programmatically

Hi all,

Some time ago a customer of mine wanted to use the Windows Server 2008 R2 Certificate Enrollment Web Services, so they could send a PKCS#10 request and get the certificate back.

They followed the instructions in this whitepaper: Certificate Enrollment Web Services in Windows Server 2008 R2. They installed the CA and the web services, and they were able to enroll certs by using the windows GUI ("Request new certificate..." option in the certificate store).

Then they tried to consume those web services from a C# client. The issue was that they couldn't find the relevant method for enrollment.


Our "Request New Certificate..." GUI uses CertEnroll behind the scenes to access those web services, instead of attacking the web services directly.

Microsoft SDK contains a sample which uses the Certificate Enrollment Web Services through CertEnroll:
C:\Program Files\Microsoft SDKs\Windows\v7.1\Samples\security\x509 certificate enrollment\CSharp\enrollWithIX509EnrollmentHelper

From its readme.txt:
Windows 7 X509CertificateEnrollment C# Sample

Sample name: enrollWithIX509EnrollmentHelper

This sample demonstrates how to use the Windows 7 new http protocol to
enroll a certificate by calling the IX509EnrollmentHelper::AddEnrollmentServer
and IX509Enrollment2::Enroll methods. The purpose of the call to the
IX509EnrollmentHelper::AddEnrollmentServer is to cache the authentication
credential to enrollment server in Windows vault.

This sample does not support certificate authentication type


I hope this helps.



Alex (Alejandro Campos Magencio)

Comments (2)

  1. Alex,

    Do you have any experience with doing Delayed enrollment as explained here:…/aa377809%28v=VS.85%29.aspx

    I'm trying to do something similar to the example mentioned above, only using client certificate authentication.  The goal is that I want to build a custom request for a machine where I set the CN to use for the certificate to a pre-determined machine name (for a device that will not yet be provisioned at the point we request the certificate), that the device can use, once the certificate and key is installed on it, for client authentication to a web service.  We're trying to wrap this process of creating a certificate in a .NET web service that can be consumed by a Java web application as part of an automated provisioning service.  I was hoping to be able to use the CertEnroll APIs to do this, but I'm running in to problems just setting up the IX509EnrollmentHelper when calling AddPolicyServer — some sort of an Argument exception that says that the value of one of the arguments was not within the expected range (not sure which one).  The call to AddEnrollmentServer works using client certificate auth, so I don't think the problem is with the ServerUri, the AuthFlags, the credential argument or the password argument (which is set to null for cilent cert auth).  I've tried several of the values in the PolicyServerUrlFlags for the third argument for that method, and I've tried using null, an empty string, and a valid enrollment policy id for the strEnrollmentPolicyID argument… so I'm at a loss for why that does not work.

    In any case, I'm trying to do a lot of things here, all in the "Delayed enrollment" method of enrolling a certificate for these devices.  I'm not even sure if what I want to do is possible, in that I want to be able to generate the request (and the private key) — somehow with a custom certificate template (which from what I understand comes from the policy server), store it off, then initialize an enrollment request using the enrollment helper and the CX509Enrollment object, then save the new certificate (to the filesystem or a database) and return it from a web service call.

    Any tips, suggestions, things to try?  Someone else who I might ask about all of this?  Suggested forums to look in for advice?  Any documentation I should look at? I'm really having a hard time finding enough references (documentation, forum postings, blogs, etc.) to accomplish all of this properly. (I've already been reading through the "Windows Server 2008 R2 Certificate Enrollment Web Services.doc" file for how to set up the ADCS web services to use a service user and setting up delegation so the certificate authentication works when the web service and certificate server are not on the same machine, and done the client validation to ensure that setup works properly).

    Thanks for any help, in advance!


  2. I would need time to investigate this. Please open a Technical Support case with us if required.



Skip to main content