Configuring CES

The Install-AdcsEnrollmentWebService cmdlet configures the Certificate Enrollment Web Service (CES). It is also used to create other instances of the service within an existing installation.

  1. Log in to the CES server using CESAdmin as user name, and then launch PowerShell in administrative mode.
  2. Run the command Import-Module ServerManager.
  3. Run the command Add-WindowsFeature Adcs-Enroll-Web-Svc.
  4. Run the command Install-AdcsEnrollmentWebService -ApplicationPoolIdentity -CAConfig “CA1.contoso.com\contoso-CA1-CA” -SSLCertThumbprint “sslCertThumbPrint” -AuthenticationType Certificate.
    Notes:
    • Replace <sslCertThumbPrint> with the thumbprint of the SSL certificate created for the CES server, after deleting the spaces between the thumbprint values.
    • Replace CA1.contoso.com with your CA computer name.
    • Replace contoso-CA1-CA with your CA common name.
    • If you have already configured one authentication method in the host, then remove ApplicationPoolIdentity from the command.
  5. Complete the installation either by selecting Y or A.
  6. Launch the IIS Manager Console.
  7. In the Connections pane, expand the web server that is hosting CEP.
  8. Expand Sites, expand Default Web Site, and then click the appropriate installation virtual application name: contoso-CA1-CA _CES_Certificate.
  9. From the left pane, click the Application Pools.
  10. Select WSEnrollmentServer, and then from the right pane, click Actions > Advanced Settings.
  11. Select the identity field under Process Model.
  12. In the Application Pool Identity dialog, select the custom account, and then type CESSvc as the domain user name.
  13. Close all dialogs, and then recycle IIS from the right pane of the IIS Manager Console.
  14. From PowerShell, type iisreset to restart IIS.
  15. For CESSvc domain user, enable delegation. For more information, see Enabling delegation.