Windows 2000 Certificate Services and Public Key Infrastructure |
You can install Windows 2000 Certificate Services with the Web Enrollment Support pages on the same server as the CA (the default configuration for the CA installation process). You also have the option of installing the Web Enrollment Support pages on another Windows 2000–based server. Installing the CA and the Web Enrollment Support package on different computers reduces the load that would otherwise be required for the CA computer. You might choose this option when the CA must support a high volume of certificate services traffic or when you are installing certificate services on less powerful computers.
The Web Enrollment Support pages are installed at the following location:
<Drive:>\WINNT\System32\CertSrv
where <Drive:>\ is the letter of the disk drive where the Web Enrollment Support pages are installed.
Folder CertSrv contains Web files (Active Server Page files, graphics files, and so forth) and two folders (CertEnroll and CertControl) that contain additional support files and ActiveX controls for the Web pages.
For enterprise CAs, the Web Enrollment Support pages work from a computer other than the CA computer only if the computer (where the Web Enrollment Support pages are installed) is trusted for delegation. You do not need to trust the other computer for delegation for the Web Enrollment Support pages to work with stand-alone CAs.
You can trust a computer for delegation by using the Active Directory Users and Computers console. Before you can install the Web Enrollment Support pages, you must be logged on to the computer as a member of the Domain Admins security group.
To trust a computer for delegation
The computers in the container appear in the details pane of the console.
The Properties dialog box for that computer appears.
The Web Enrollment Support pages will not work until after the computer has been restarted.
For more information about the Active Directory Users and Computers console, see Active Directory Help.
You can use the Windows Components wizard to install the Web Enrollment Support pages on another computer other than where the CA is installed. Before you can install the Web Enrollment Support pages, you must be logged on to the computer as a member of the Domain Admins security group. You can install the Web Enrollment Support pages only on a Windows 2000–based server on which Internet Information Services is installed.
To install Web Enrollment Support pages on a computer other than where the CA is installed
The Add/Remove Programs dialog box appears.
The Windows Components wizard appears.
The Certificate Services Client Configuration page appears.
– Or –
Click Browse to locate and select the computer.
The CA Name box displays the name of the CA that is running on the server you have selected. The Web Enrollment Support pages are installed to work with this CA.
After the Web Enrollment Support pages are installed, test the Web pages to be sure that they work properly with the CA. For example, use the Web Enrollment Support pages to request a certificate or a CRL from the CA. You might also want to change the default security settings for the Web Enrollment Support pages.