Certificate Web Enrollment from Vista
One of the enhancements in Windows Vista is the new certificate scripting interface called certenroll. In prior client operating system versions we had the xenroll code which would allow users to enroll for certificates via a web page served out by their Windows Server 2003 certificate authority. For Vista and Longhorn, though, a need was seen to enhance the functionality and ease of development in the certificate APIs. It ended up being a radical, but vastly improved, certificate enrollment API simply called Certenroll.
From a file level, you have xenroll.dll on Server 2003 and XP as the resource DLL to be used. Vista and Longhorn use certenroll.dll instead.
Here’s the MSDN start page on the new certificate services interface:
Certificate Enrollment API
http://msdn2.microsoft.com/en-us/library/aa374850.aspx
With all this new and easy to use functionality comes an issue that some folks may have to deal with. Basically, the Windows 2000 and Server 2003 certificate authority web enrollment pages will not allow a Vista client to enroll for a certificate. The fundamental difference is simply the difference in the enrollment interfaces.
Does this mean that certificate web enrollment isn’t an option from Vista clients? Emphatic no! But it does mean that you have some additional considerations to take into account.
We have a published Knowledge Base article on this (below) but I think that getting the word out a bit more on some details would be helpful for everyone.
How to use Certificate Services Web enrollment pages together with Windows Vista
http://support.microsoft.com/kb/922706
The article basically describes the problem and says that you need to remove your Windows Server 2003 CA web enrollment pages in favor of the ones from a Longhorn Server.
Wait! you say. Longhorn isn’t even released yet! How can I get those pages when they aren’t even available?
We have a hotfix package available as a free (my favorite word) download from our web site.
Just go here and use the KB article 922706 as the reference: https://support.microsoft.com/contactus2/emailcontact.aspx?scid=sw;en;1410&WS=hotfix
Here are few caveats or things to keep in mind about the Longhorn Certificate Enrollment pages that may not have been clearly spelled out in the Knowledge Base article:
-The Longhorn pages support web enrollment requests from 2003 and XP clients as well as Vista (xenroll as well as certenroll)
-The article says that you must use a specific version of the Longhorn pages. Rest assured, if we provide them to you they’re the right ones.
-Enroll on Behalf of (this may be available in Vista SP1) is not present in the Longhorn pages
-Enrolling computer certificates is not possible currently (part of the enroll on behalf of difference)
For folks out there who have heavily customized web enrollment pages I encourage you to contact us, obtain the Longhorn pages and then alter that code as needed to replicate what you need for your purposes.
Special thanks to my colleague Seth Scruggs for some of the above bullets.
We welcome feedback on this, so please post a comment if you’d like. If you have questions on this, please also post.
Tim has worked in the Customer Services and Support division (formerly Product Support Services) of Microsoft since 1998, working escalated contract customer cases and emergency calls. He specializes in Windows Directory Services, which is Active Directory, Security, DFS, PKI and serveral other components of Windows Server.
Tim's an alumni of the University of Missouri at Columbia (Mizzou) and does a great deal, perhaps too much, of 'test playing' Xbox 360 games in his spare time.
