The application /Certsrv does not exist: How to configure Certificate Enrollment Web Services and Certificate Authority Web Enrolment
In this article, we shall discuss “The application /Certsrv does not exist: How to configure Certificate Enrollment Web Services and Certificate Authority Web Enrolment”. Active Directory Certificate Services (AD DS) is used to create certification authority and related role services that allow you to issue and manage certificates. Here is Unable to run downloaded Programs due to Defender SmartScreen, and how to manage Microsoft Defender Antivirus with Argon ACMP.
Please, see the following interesting guides on how to import a certificate into the Trusted Root and Personal file certificate store, how to request a certificate signing request in Windows using Microsoft Management Console, and how to export a certificate in PFX format in Windows.
What is a Certification Authority?
A certificate authority is also referred to as a certification authority and it helps to issue digital certificates and authenticate the digital identities of computer systems.
By this we mean, it helps certify the ownership of a public key by the named subject of the certificate. One of the objectives is to make communication on the internet secure by playing a vital role in digital security.
Certificate authorities (CA) are a critical part of Internet communication and without them, transactions wouldn’t be secure and you would never be able to safely shop. Or perform online banking.
Here are some guides on how to install and configure Active Directory Certificate Services and how to create a certificate template for BitLocker Network Unlock.
1: Certificate Enrollment Web Services
The Certificate Enrollment Web Service uses the HTTPS protocol to accept certificate requests from and return issued certificates to network client computers.
The Certificate Enrollment Web Service uses the DCOM protocol to connect to the certification authority (CA) and complete certificate enrollment on behalf of the requester. It is to let clients enrol and renew certificates, from either non-domain joined machines, or machines that cannot contact your PKI environment.
2: Certificate Authority Web Enrollment
The Certification Authority (CA) Web Enrollment role service provides a set of web pages that allow interaction with the Certification Authority role service. These web pages are located at https://<servername>/certsrv, where <servername> is the name of the server that hosts the hosts the CA Web Enrollment pages.
The certsrv portion of the URL should always be in lowercase letters. Otherwise, users may have trouble checking and retrieving pending certificates.
CA Web Enrollment is useful when you interact with a standalone CA because the Certificates Microsoft Management Console (MMC) snap-in cannot be used to interact with a standalone CA.
Enterprise CAs can accept certificate requests through the Certificates snap-in or the CA Web Enrollment role service pages.
You can install CA Web Enrollment on a server that is not a CA to separate web traffic from the CA. Installing CA Web Enrollment configures the computer as an enrollment registration authority.
You must select a CA to be used with the CA Web Enrollment pages. Mitigating PetitPotam Attack with Web Enrollment
The following error isn’t a bug or an immediate issue in my lab environment. I installed the Certificate Enrollment Web Services and Certificate Authority Web Enrollment roles to demonstrate how the PetitPotam attack can be mitigated.
Upon completing my lab. I had to uninstall the roles because there wasn’t a real need for it and upon refresh the following error below was prompted.
Fix the missing “CertSrv” virtual directory
To resolve this missing “CertSrv” virtual directory. I decided to create this guide to help those of you who might be having the missing virtual directory “CertSrv” issue and ways to resolve it.
First, quickly run the command below to see if the following Web Enrollment role is installed. As you can see, the role isn’t.
I will be walking you through the steps to install the Certificate Enrollment Web Services and Certificate Authority Web Enrollment roles if you already have the AD CA setup.
To add the roles to the server, launch the Server Manager as shown below. Click on Add Roles and Features as shown below.
This is just an information page. Usually, you should skip the “before you begin” page. In this way, it does not come up with anything you wish to install a role or a feature. When you are done click on Next.
This installation is role-based, therefore, we will be selecting role-based or feature-based installation. Click on Next to continue
On the Select Destination server, if you have multiple servers. Please select your desired server or local server you wish to install the Certificate Enrollment Web Services and Certificate Authority Web Enrollment.
In my case, I have just one server in the pool and it is selected automatically by default. Click on Next to continue.
In the Select Server Roles, expand the Active Directory Certificate Services and take note of the marked roles.
Ensure both roles are checked “Certificate Enrollment Web Services and Certificate Authority Web Enrollment” as shown below.
Select Features Page Feature Installation
On the Select Features page, we do not have to do anything except your environment demands a feature installation. Please click on Next to proceed.
Lastly, on the confirmation page, click on Install to have the roles installed.
As you can see below, the installation has started and you can view the progress from this window.
Note: You can also click on the close button to have this window closed. While the installation is still in progress.
Please, see AWS Flow Logs IAM Role Setup. Here is how to Upgrade ManageEngine Password Manager Pro, and All About Windows Server 2016.
Post Deployment Configuration to fix Application /Certsrv does not exist: Configure Certificate Enrolment Web services
Please click on the Server Manager. Click on the flag as shown below
On this page, ensure the account you are using to install and configure the following roles meets the stated requirements.
- Enterprise Admin Group (Enterprise certification authority, Certificate Enrollment Policy Web Service, Certificate Enrollment Web Service, and Network Device Enrollment Service).
- Local Administrators group (Standalone certification authority, Certification Authority Web Enrollment, and Online Responder).
I will be configuring both roles as shown below.
Ensure the roles are selected and click on Next to continue.
At the CA for CES window, the AD CS Configuration wizard should fill in the Target CA for you (The Target CA is selected by default). However, if it doesn’t click on the select button and choose your CA. (You must select a CA to be used with the CA Web Enrollment pages).
The CA that CA Web Enrollment uses is called the Target CA in the user interface. You can select the target CA by using the CA name. Or the computer name that is associated with the CAand click on Next.
Select the Authentication Type of your choice. I will be selecting the first option “Windows Integrated Authentication”.
On the Service Account for CES, please select “Use the Built-in application pool identity”. Click on Next to continue.
Please, sse How to grant Access to User Mailbox. Here is how to uninstall AWS CLI in Windows, and How to configure WatchGuard WebCenter.
SSL certificate selection
On the Service Certificate page, please select “Choose an existing certificate for SSL encryption (This is the recommended setting though).
On the Confirmation page, please select Configure in order to complete the setup.
As you can see, the following role services are installed. As you can see, we have the Certificate Authority running. Click on Close to close the AD CS Configuration wizard.
Next, we will be accessing the Internet Information Services (IIS) Manager to see if the virtual Directory has been restored. To do this, open Server Manager and Click on Internet Information Services (IIS) Manager.
As you can see the Virtual Directory has been restored. Here is a guide on how to mitigate the NTLM Relay PetitPotam attack on AD CS that affects Certificate Enrollment Web Services and Certificate Authority Web Enrollment when NTLM is enabled.
I hope you found the steps discussed to resolve this issue “Application /Certsrv does not exist: Configure Certificate Enrolment Web Services” helpful. If you have any further questions or comments, please let me know in the comment section below.
Thanks Christian, this advice has been really helpful and i managed to get my Certsrv working.
Thank you very much for your kind words @Blake! I am glad you found this guide useful.
Thanks Christian, loved the details.
I’ve just recentyly built CA for lab. I’m unable to access
https://localhost/certsrv– getting 404. Any ideas what it might be?Hi, I am not sure if you’re accessing with the right URL format. If yes, verify that the certsrv virtual directory exists, if not the web component “Certification Authority Web Enrollment” is missing. Also, ensure that the IIS service is running. Lastly, check the Windows Event Viewer for any related error messages. This would help pinpoint and bring this issue to resolution.