Alfred's New Ramblings

Installing Active Directory Certificate service

Installing Active Directory or Windows Certificate service the wrong way round.

The Certificate service receives certificate requests via an IIS web site. The domain admin signs or it auto signs the requests. The requestor then downloads the signed certificate from the same website. What happens if the Certificate Authority was installed without IIS? Here is the fun part.

Here are some error messages to give you an idea. Using a browser on the domain controller to connect to http://localhost/certsrv ,

  1. If there is no response, check if IIS server is installed.
  2. Error 404, it means the Certificate Enrollment Web service is not installed.
  3. Error 500 only, it means the Certificate Enrollment Web service was not completely installed.

Other checks include listing the applications in the default ApplnPool

You will need to do the following:

  1. Install IIS, via Manage server, Add roles and features for IIS
  2. Again via Manager server, install Certificate Enrollment Web service under Active Directory.
    • A service account is required. If you did not see this step, the web service installation is incomplete.
  3. Check Manager server Notification (edge of the window top right-hand corner) for a complete installation
  4. Open a command window with admin rights.
  5. Run the following command to create the appropriate vdirectories inside IIS. If you have done step 2, correctly, this not required.

certutil -vroot

Use your browser to connect to http://localhost/certsrv or http://<servername>/certsrv


CertSrv site & missing

Microsoft Guidance on Certificate Enrollment service

Tagged on: ,

Leave a Reply

Your email address will not be published. Required fields are marked *