One of the enhancements in Windows Vista is the new certificate scripting interface called certenroll. In prior client operating system versions we had the xenroll code which would allow users to enroll for certificates via a web page served out by their Windows Server 2003 certificate authority. For Vista and Longhorn, though, a need was seen to enhance the functionality and ease of development in the certificate APIs. It ended up being a radical, but vastly improved, certificate enrollment API simply called Certenroll.
From a file level, you have xenroll.dll on Server 2003 and XP as the resource DLL to be used. Vista and Longhorn use certenroll.dll instead.
Here’s the MSDN start page on the new certificate services interface:
Certificate Enrollment API
With all this new and easy to use functionality comes an issue that some folks may have to deal with. Basically, the Windows 2000 and Server 2003 certificate authority web enrollment pages will not allow a Vista client to enroll for a certificate. The fundamental difference is simply the difference in the enrollment interfaces.
Does this mean that certificate web enrollment isn’t an option from Vista clients? Emphatic no! But it does mean that you have some additional considerations to take into account.
We have a published Knowledge Base article on this (below) but I think that getting the word out a bit more on some details would be helpful for everyone.
How to use Certificate Services Web enrollment pages together with Windows Vista
The article basically describes the problem and says that you need to remove your Windows Server 2003 CA web enrollment pages in favor of the ones from a Longhorn Server.
Wait! you say. Longhorn isn’t even released yet! How can I get those pages when they aren’t even available?
We have a hotfix package available as a free (my favorite word) download from our web site.
Just go here and use the KB article 922706 as the reference: https://support.microsoft.com/contactus2/emailcontact.aspx?scid=sw;en;1410&WS=hotfix
Here are few caveats or things to keep in mind about the Longhorn Certificate Enrollment pages that may not have been clearly spelled out in the Knowledge Base article:
-The Longhorn pages support web enrollment requests from 2003 and XP clients as well as Vista (xenroll as well as certenroll)
-The article says that you must use a specific version of the Longhorn pages. Rest assured, if we provide them to you they’re the right ones.
-Enroll on Behalf of (this may be available in Vista SP1) is not present in the Longhorn pages
-Enrolling computer certificates is not possible currently (part of the enroll on behalf of difference)
For folks out there who have heavily customized web enrollment pages I encourage you to contact us, obtain the Longhorn pages and then alter that code as needed to replicate what you need for your purposes.
Special thanks to my colleague Seth Scruggs for some of the above bullets.
We welcome feedback on this, so please post a comment if you’d like. If you have questions on this, please also post.
How easy is it to rollback the hotfix if it does not perform as expected?
Thanks for your helpful article. Can we use the Longhorn patchfix on Windows 2000 Server Certificate Enrollment pages too?
No, these pages will only work on Windows 2003 or 2008.
As far as rolling back the pages, they are not an installer per se. The article gives a step by step on how to get them on your certificate server and configure it to use them. I haven't tested or heard of anyone doing it, but I suppose you could remove them and all of their files and replace them. Not sure why you would need to though.
There’s be a lot of demand for the web enrollment pages from Server 2008. For those that have contacted