Windows 2000 Certificate Services and Public Key Infrastructure

Install Web Enrollment Support on Another Computer (Optional)

You can install Windows 2000 Certificate Services with the Web Enrollment Support pages on the same server as the CA (the default configuration for the CA installation process). You also have the option of installing the Web Enrollment Support pages on another Windows 2000–based server. Installing the CA and the Web Enrollment Support package on different computers reduces the load that would otherwise be required for the CA computer. You might choose this option when the CA must support a high volume of certificate services traffic or when you are installing certificate services on less powerful computers.

The Web Enrollment Support pages are installed at the following location:

<Drive:>\WINNT\System32\CertSrv

where <Drive:>\ is the letter of the disk drive where the Web Enrollment Support pages are installed.

Folder CertSrv contains Web files (Active Server Page files, graphics files, and so forth) and two folders (CertEnroll and CertControl) that contain additional support files and ActiveX controls for the Web pages.

Trusting the Computer for Delegation

For enterprise CAs, the Web Enrollment Support pages work from a computer other than the CA computer only if the computer (where the Web Enrollment Support pages are installed) is trusted for delegation. You do not need to trust the other computer for delegation for the Web Enrollment Support pages to work with stand-alone CAs.

You can trust a computer for delegation by using the Active Directory Users and Computers console. Before you can install the Web Enrollment Support pages, you must be logged on to the computer as a member of the Domain Admins security group.

To trust a computer for delegation

Expand the Active Directory Users and Computers node for the domain.
Select the container with the computer that you want to trust.
The computers in the container appear in the details pane of the console.
Double-click the computer that you want to trust.
The Properties dialog box for that computer appears.
In the General dialog box, click Trust computer for delegation to select the check box, and then click either OK or Apply.
Restart the computer so that the new delegation setting can take effect.
The Web Enrollment Support pages will not work until after the computer has been restarted.

For more information about the Active Directory Users and Computers console, see Active Directory Help.

Installing the Web Enrollment Support Pages

You can use the Windows Components wizard to install the Web Enrollment Support pages on another computer other than where the CA is installed. Before you can install the Web Enrollment Support pages, you must be logged on to the computer as a member of the Domain Admins security group. You can install the Web Enrollment Support pages only on a Windows 2000–based server on which Internet Information Services is installed.

To install Web Enrollment Support pages on a computer other than where the CA is installed

In Control Panel, click Add/Remove Programs.
The Add/Remove Programs dialog box appears.
Click Add/Remove Windows Components.
The Windows Components wizard appears.
In the Windows Components page, select the Certificate Services check box.
Click Details, and then clear the Certificate Services check box. Verify that the Certificate Services Web Enrollment Support check box is selected, and then click OK.
Click Next.
The Certificate Services Client Configuration page appears.
Type the domain name of the server computer with the CA in the Computer Name box.
– Or –

Click Browse to locate and select the computer.

The CA Name box displays the name of the CA that is running on the server you have selected. The Web Enrollment Support pages are installed to work with this CA.
Click Next, and complete the Windows Component wizard.

After the Web Enrollment Support pages are installed, test the Web pages to be sure that they work properly with the CA. For example, use the Web Enrollment Support pages to request a certificate or a CRL from the CA. You might also want to change the default security settings for the Web Enrollment Support pages.