Active Directory Certificate Services (AD DS) is used to create certification authority and related role services that allow you to issue and manage certificates. A certificate authority is also referred to as certification authority and it helps to issue digital certificates and authenticate the digital identities of computer systems. By this we mean, it helps certifies the ownership of a public key by the named subject of the certificate. One of the objectives is to make communication on the internet secure by playing a vital role in digital security. See the following interesting guides on how to import a certificate into the Trusted Root and Personal file certificate store, how to request a certificate signing request in Windows using Microsoft Management Console, and how to export a certificate in PFX format in Windows.
Certificate authorities (CA) are a critical part of the internet communication and without it, transactions wouldn’t be secure and you will never be able to safely shop, or perform online banking. Here are some guides on how to install and configure Active Directory Certificate Services and how to create a certificate template for BitLocker Network Unlock. 1: Certificate Enrollement Web Services: The Certificate Enrollment Web Service uses the HTTPS protocol to accept certificate requests from and return issued certificates to network client computers. The Certificate Enrollment Web Service uses the DCOM protocol to connect to the certification authority (CA) and complete certificate enrollment on behalf of the requester. - It's duty is to let clients enrol and renew certificates, from either non domain joined machines, or machines that cannot contact your PKI environment. 2: Certifcate Authority Web Enrollment: The Certification Authority (CA) Web Enrollment role service provides a set of web pages that allow interaction with the Certification Authority role service. These web pages are located at https://<servername>/certsrv, where <servername> is the name of the server that hosts the hosts the CA Web Enrollment pages. The certsrv portion of the URL should always be in lowercase letters; otherwise, users may have trouble checking and retrieving pending certificates. - CA Web Enrollment is useful when you interact with a standalone CA because the Certificates Microsoft Management Console (MMC) snap-in cannot be used to interact with a standalone CA. Enterprise CAs can accept certificate requests through the Certificates snap-in or the CA Web Enrollment role service pages. - You can install CA Web Enrollment on a server that is not a CA to separate web traffic from the CA. Installing CA Web Enrollment configures the computer as an enrollment registration authority. You must select a CA to be used with the CA Web Enrollment pages.
The following error isn’t a bug or an immediate issue in my lab environment. I had installed the Certificate Enrollment Web Services and Certificate Authority Web Enrollment roles to demonstrate how the PetitPotam attack can be mitigated.
Upon completing my lab, I had to uninstall the roles because there wasn’t a real need for it and
upon refresh the following error below was prompted.
To resolve this missing "CertSrv" virtual directory, I decided to create this guide to help those of you that might be having the missing virtual directory “CertSrv” issue and ways to resolve it. First, quickly run the command below to see if the following Web Enrollment role is installed. As you can see the role isn’t.
Note: When the below steps do not resolve the issue, please proceed to the last paragraph for a referenced guide.
I will be walking you through the steps to install the Certificate Enrollment Web Services and Certificate Authority Web Enrollment roles if you already have the AD CA setup. To add the roles to the server, launch the Server Manager as shown below
– Click on Add Roles and Features as shown below.
This is just an information page. Usually, you should skip the “before you begin” page so it does not come up with anything you wish to install a role or a feature. When you are done and click on Next.
– This installation is a role-based installation, therefore, we will be selecting role-based or feature-based installation. Click on Next to continue
On the Select destination server, if you have multiple servers, please select your desired server or local server you wish to install the Certificate Enrollment Web Services and Certificate Authority Web Enrollment unto. In my case, I have just one server in the pool and it is selected automatically by default.
– Click on Next to continue.
In the Select Server Roles, expand the Active Directory Certificate Services and take note of the marked roles.
Ensure both roles are checked “Certificate Enrollment Web Services and Certificate Authority Web Enrollment” as shown below.
OnOn the select features page, we do not have to do anything here except your environment demands a feature installation.
– Please click on Next to proceed.
Lastly, on the confirmation page, click on Install to have the roles installed.
As you can see below, the installation has started and you can view the progress from this window. Note: You can also click on the close button to have this window closed while the installation is still in progress.
Post Deployment Configuration: please click on the Server Manager
– Click on the flag as shown below and
On this page, ensure the account you are using to install and configure the following roles meet the stated requirements.
– Enterprise Admin Group (Enterprise certification authority, Certificate Enrollment Policy Web Service, Certificate Enrollment Web Service, and Network Device Enrollment Service).
– Local Administrators group (Standalone certification authority, Certification Authority Web Enrollment, and Online Responder).
I will be configuring both roles as shown below. Ensure the roles are selected and click on Next to continue.
At the CA for CES window, the AD CS Configuration wizard should fill in the Target CA for you (
The Target CA is selected by default). However, if it doesn’t click on the select button and choose your CA. (You must select a CA to be used with the CA Web Enrollment pages).
– The CA that CA Web Enrollment uses is called the Target CA in the user interface. You can select the target CA by using the CA name or the computer name that is associated with the CA
and click on Next.
Select the Authentication Type of your choice. I will be selecting the first option “Windows Integrated Authentication”.
On the Service Account for CES, please select “Use the Built-in application pool identity”. Click on Next to continue.
On the Service Certificate page, please select “Choose an existing certificate for SSL encryption (This is the recommended setting though).
On the Confirmation page, please select configure in order to complete the setup.
As you can see, the following role services are installed. As you can see, we have the Certificate Authority running.
– Click on Close to close the AD CS Configuration wizard.
Next, we will be accessing the Internet Information Services (IIS) Manager to see if the virtual Directory has been restored. To do this,
– Open Server Manager and Click on Internet Information Services (IIS) Manager.
As you can see the Virtual Directory has been restored. Here is a guide on how to mitigate the NTLM Relay PetitPotam attack on AD CS that affects Certificate Enrollment Web Services and Certificate Authority Web Enrollment when NTLM is enabled.
If the steps discussed here do not help in resolving our issue, kindly consult this link for other possible steps.