This section describes how to edit an enrollment service in Active Directory using native Windows tools.
Building the Enrollment URL
To build the Enrollment Service URL, use the following syntax:
https://<CEG-server>:443/wstep/<auth>/services/<tenant-ID>/<CA-ID>Where:
<CEG-server>is the hostname or IP address of the Certificate Enrollment Gateway server.<auth>is the authentication method, eitherusertokenfor user name and password authentication orkerberosfor Kerberos (Windows integrated) authentication.<tenant-ID>is the unique identifier of a tenant defined in Certificate Enrollment Gateway. The value is case-sensitive.<CA-ID>is the CA ID of the Certificate Authority (CA) defined in CA Gateway that will issue certificates to the Windows endpoint.
For example, when authenticating with a user name and password:
https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1For example, when authenticating with Kerberos:
https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1Adding the enrollment URL to the enrollment service using the certutil utility
On the Active Directory server, open a Command Prompt window and run the following command to add the Enrollment Service URL with the certutil utility.
certutil –config "<name>" –enrollmentserverURL <url> <auth> [<priority>]Where:
<name>is the name of the enrollment service.<url>is the URL described in Building the Enrollment URL.<auth>is the identifier of the authentication mode:kerberosfor Kerberos authentication, orusertokenfor user name and password authentication.<priority>is the server priority. If you omit this parameter, the value defaults to 1.
For example, when authenticating with a user name and password:
certutil -config "CEGMSCA" -enrollmentserverURL https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca1 usernameFor example, when authenticating with Kerberos:
certutil -config "CEGMSCA" -enrollmentserverURL https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca1 kerberosTo check the added URL, run certutil without arguments. For example:
PS C:\Windows\system32> certutilEntry 0: Name: "CEGMSCA" Organizational Unit: "" Organization: "" Locality: "" State: "" Country/region: "" Config: "cegmsca.example.com\CEGMSCA" Exchange Certificate: "" Signature Certificate: "" Description: "" Server: "cegmsca.example.com" Authority: "CEGMSCA" Sanitized Name: "CEGMSCA" Short Name: "CEGMSCA" Sanitized Short Name: "CEGMSCA" Flags: "1" Web Enrollment Servers:140https://cegserver1.example.com:443/wstep/usertoken/services/tenant1/example-ca10120https://cegserver1.example.com:443/wstep/kerberos/services/tenant1/example-ca10CertUtil: -dump command completed successfully.Changing the enrollment URL of the enrollment service using ADSI Edit
To add the enrollment service URL to Active Directory using ADSI Edit, complete the following procedure.
To add the enrollment service URL to Active Directory using ADSI Edit
- Log in to the server hosting Active Directory.
- Open ADSI Edit. Select Start > Windows Administrative Tools > ADSI Edit.
The ADSI Edit dialog box appears.
- In the tree view, expand ADSI Edit > Configuration > CN=Configuration,<suffix> > CN=Services > CN=Public Key Services > CN=Certificate Enrollment Gateway.
- Double-click the Active Directory CA enrollment service.
A Properties dialog box appears.
- Click the Attribute Editor tab.
- Under Attributes, select msPKI-Enrollment-Servers. The URL in this field is preceded by three integers, where:
- The first integer is the Priority of the service URL.
- The second integer is the authentication method: 2 for Kerberos authentication, 4 for username and password authentication.
- The third integer is 0 for certificate enrollment and renewal or 1 for certificate renewal only.
- Click Edit.
Replace the current URL with the URL you built earlier in Building the Enrollment URL.
Do not overwrite the preceding integers when replacing the URL. The integers are required.
- Click OK.