Select Start > Run, and then enter gpedit.msc. On the client computer, set up the Enrollment policies and Auto-Enrollment policy. Change the msPKI-Enrollment-Servers attribute by using the custom port with your CEP and CES server URIs that were found in the application settings. These are valid client certificates for authentication that do not directly map to a security principal.Ĭonnect to the Configuration partition, and navigate to your CA enrollment services object:ĬN=ENTCA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contoso,DC=com The AllowKeyBasedRenewal cmdlet also specifies that the CES will accept key based renewal requests for the enrollment server.
The RenewalOnly cmdlet lets CES run in renewal only mode. SSLCertThumbPrint is the thumbprint of the certificate that will be used to bind IIS. In this command, the identity of the Certificate Enrollment Web Service is specified as the cepcessvc service account. This command installs the Certificate Enrollment Web Service (CES) to use the certification authority for a computer name of and a CA common name of contoso-CA1-CA. Install-AdcsEnrollmentWebService -CAConfig "\contoso-CA1-CA" -SSLCertThumbprint "sslCertThumbPrint" -AuthenticationType Certificate -ServiceAccountName "Contoso\cepcessvc" -ServiceAccountPassword (read-host "Set user password" -assecurestring) -RenewalOnly -AllowKeyBasedRenewal When in key-based renewal mode, the service will return only certificate templates that are set for key-based renewal. Key-based renewal lets certificate clients renew their certificates by using the key of their existing certificate for authentication. In this command, is the thumbprint of the certificate that will be used to bind IIS.
0 kommentar(er)
