We need to discuss the Microsoft Certification Authority Web Enrollment (CAWE) Role

We need to discuss the Microsoft Certification Authority Web Enrollment (CAWE) Role

Hello everyone, this is Rob Greene. I recently had a case where a customer was having trouble with the CAWE pages. I realized that we do not have much useful information on how outdated these web pages are. Customers have been using different default browsers, and while security has been evolving in the Windows environment, these CAWE pages have not adapted to those changes.

What is CAWE?

Certification Authority Web Enrollment is a Windows Server role that can be installed on a Certification Authority (although not recommended) or on a member server hosting IIS separate from the Certification Authority role. CAWE role will install IIS and all subcomponents needed to run the CA Web Enrollment pages. From these web pages users can do any of the following:

• Request User Certificates (If you use Internet Explorer).
• Submit Certificate Service Requests (CSRs) typically against certificate templates configured for “Supply in the Request” on the templates Subject tab.
• Download the CA’s certificate chain, and latest CRL.  You cannot request computer certificates.

A little bit of history

These web pages have been available within the Windows Server operating system since Windows Server 2000.  These pages were designed to show customers how they could write web-based solutions to enroll and manage certificates within the environment.  Over time the web pages were updated in Windows Server 2003 for various purposes. Starting with Windows Server 2008 this solution started to wane as Active-X based activities came to be seen as a security risk and subsequently no further development was done to make the web enrollment pages viable.

What’s wrong with CAWE

Nowadays some of the issues that WILL be experienced if you try and leverage the CAWE pages are the following:

• Cannot be used to enroll computer-based certificates.  Only User certificates can be enrolled via the browser.
• Can only do enrollment with Internet Explorer as this is the only Browser that supports Active X controls.
• Some limited functionality can be restored if you use Microsoft Edge, and ONLY IF you set the web enrollment site up to be used in IE-Mode
• Only Version 1 and version 2 certificate templates will be shown. All other versions will not be displayed. (Versions can be seen using CertTempl.msc snapin)
• Certificate templates that are configured, on the Cryptography tab, to use a Key Storage Provider will not be available.
• Templates with Key Archival will not appear on enrollment pages on Windows 10 and higher machines without modification to the pages.
• The CAWE web pages are no longer being maintained or developed by the product team.  These pages do still exist in the current operating system release of Windows Server 2022, however we are not adding any new functionality to them at this time.  With all this being stated, do not worry, we have other options available that will accomplish everything that the web enrollment pages do in either a GUI, or from the command line.

What are the options?

To discuss these options, we first need to break this down into two separate methods. 

• If you already have a Certificate Service Request (CSR) file generated, from a 3^rd party application, or other operating system, then you can use the certreq.exe command line tool to submit the request to the CA, discussed below.
• If you are using the Windows Operating System to generate the certificate request and submit it to the CA, you can use the GUI, PowerShell, or Certreq.exe commands to get a certificate issued.

Already have a CSR file, and need to get it issued by a Microsoft Certification Authority

Currently there is no Windows PowerShell command that will submit a certificate service request (CSR) file to a Microsoft CA. This means that the only command line way to accomplish this is via CertReq.exe.

Submitting CSRs via CertReq.exe

Some examples of certreq.exe commands submitting a CSR to a Microsoft Certification Authority are as follows:

Example data:

CA COMPUTER DNS Name: fab-rt-ca01.fabrikam.com
CA Name: Fabrikam Issuing CA1
Certificate Template Name: FabrikamWebServer
CSR File Name: WindowsIIS.csr / LinuxApache.csr
Certificate Output File Name: WindowsIIS.cer / LinuxApache.cer

NOTE: If the template is configured to require CA manager approval, then it will not immediately issue the signed certificate and extra steps will be required.

Submitting a CSR file that has the certificate name specified in the request file.

CertReq -Submit -Config "CA COMPUTER DNS NAME\CA NAME" CSRFileName CertificateOutputFileName

CertReq -Submit -Config "fab-rt-ca01.fabrikam.com\Fabrikam Issuing CA1" WindowsIIS.csr WindowsIIS.cer

Submitting a CSR file that DOES NOT have the certificate template name specified in the request file.

CertReq -Submit -Config "CA COMPUTER DNS NAME\CA NAME" -attrib "CertificateTemplate:CertTemplateName" CSRFileName CertificateOutputFileName

CertReq -Submit -Config "fab-art-ca01.fabrikam.com\Fabrikam Issuing CA1" "CertificateTemplate:FabrikamWebServer" LinuxApache.csr LinuxApache.cer

In either situation once the CSR has been submitted, if the certificate requires CA Manager approval you can get the CER file if you have the request ID as well via the command below:

CertReq -Retrieve -Config "CA COMPUTER DNS NAME\CA NAME" RequestID CertificateOutputFileName

CertReq -Retrieve -Config "fab-rt-ca01.fabrikam.com\Fabrikam Issuing CA1" 10 WindowsIIS.cer

Submitting the CSR via the Certification Authority Snap-in

If the CSR does have the certificate template defined in it, then it also can be submitted via the Certification Authority snap-in.

1. Launch CertSrv.msc (Certification Authority snapin).
2. Expand out to the Certification Authorities object within the snapin.
3. Right click on the Certification Authority, and then select "All Tasks", and then click on "Submit new request"
4. Browse to the CSR file, and then click on the Open button.
5. If the template is configured to be issued without CA Manager approval, a dialog box will pop up to type in the CER file name and specify the location where to save the file.
6. If it requires CA Manager approval, click on the "Pending Requests" container, right click on the Request, select "All Tasks", and click "Issue".
7. Click on the "Issued Certificates", then locate the issued certificate and double click on it.
8. Once the certificate dialog box is opened click on the "Details" tab, and then click on the "Copy to File" button.
9. Specify a file and folder path to save the CER file.

NOTE: if a CSR file is submitted directly to a Microsoft Enterprise Certification Authority that DOES NOT have the certificate template name defined in the CSR the request submission to the CA will fail with the dialog box error of:

The request contains no certificate template information. 0x80094801 (-2146875391 CERT_E_NO_CERT_TEMPLATE) Denied by Policy Module 0x80094801, 
The request does not contain a certificate template extension or the CertificateTemplate request attribute.

Error seen in the CA Application event log:

Log Name:      Application
Source:        Microsoft-Windows-CertificationAuthority
Event ID:      53
Level:         Warning
User:          SYSTEM
Computer:      COMPUTERNAME

Description:
Active Directory Certificate Services denied request 74 because the request contains no certificate template information. 
0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE). 
The request was for CN=CERT_REQUESTER_INFORMATION.  Additional information: Denied by Policy Module 0x80094801, 
The request does not contain a certificate template extension or the CertificateTemplate request attribute.

If submitting via CerReq:

The parameter is incorrect.  0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER)

Generating a CSR on a Windows system.

There are several ways to generate a CSR using the MMC UI Wizard, CertReq.exe , or via Windows PowerShell (Get-Certificate).

With the MMC UI Wizard, a CSR can be generated using a certificate template that is configured for "Supply in the Request" for the subject Name tab, or without leveraging a certificate template at all.  If you do not have an Enterprise Certification Authority available, you will more than likely be submitting the request either via Certreq.exe or submitting the certificate via the Certification Authority snap-in if it is a standalone CA.

Generating a CSR from the MMC Wizard/UI

So, depending on what account needs to get the certificate you would run two different snapins. 

• For User certificates you can launch:  CertMgr.msc
• For Computer certificates you can launch:  CertLM.msc

If you would like to request a certificate from an Enterprise Certification Authority using the MMC snapin for any certificate, you must use a template where the Subject Name tab is configured with Supply in the Request.

Submit a Request using certificate template set to "Supply in the request"

1. Launch the Certificate MMC for the user or computer (CertLM.msc/CertMgr.msc).
2. Expand out to Personal\Certificates right click on Certificates (or Personal if first certificate) container and select All Tasks, then select Request New Certificate.
3. Click the Next button.
4. Select the Enrollment Policy you wish to use, then click Next.
5. Select the Certificate Template that you wish to use.
6. Click on the Details setting, and then click on the Properties button, or the blue text "More information is required to enroll for this certificate. Click here to configure settings"
7. There are multiple tabs in here that can be specified. This blog is not going to cover too much about what settings to configure as that is going to be based more on what you are issuing the certificate for.

• Subject: This is where you can add a name to not only the Subject field on the issued certificate but also populate the Subject Alternative Name extension on the issued certificate.
• General: Can type in a friendly name for the certificate. This will be displayed within the certificates MMC console.
• Extensions: This is where you fill in any certificate extensions that the issued certificate needs. You can also mark certain extensions as Critical Extensions. The two common ones are Key Usage (KU) and Enhanced/Extended Key Usage (EKU).
• Private Key: This is where you can select the KSP/CSP to use for the private key as well as different key options (like Make Private Key Exportable) and Key Size. Also, the Request Hashing algorithm to be used for the CSR.
• Certification Authority: This will list the Microsoft Enterprise Certification Authorities that are configured to issue the certificate template in question. You can select or deselect any of the certification authorities from the list if you do not wish to get a certificate issued by that certification authority.
• Signature: Allows to specify an Enrollment Agent (EA) or Registration Authority (RA) certificate to use to sign the certificate request. This is typically NOT a requirement to be able to do the enrollment. It would be dictated by the setting certificate template Issuance Requirements tab, and specifically the check box. This number of authorized signatures would need to be checked as well as the other settings be filled out for that section.

8. Once all the desired or required tabs have been filled out, click the OK button.
9. Make sure the checkbox is checked for the certificate template, and then click the Enroll button.

NOTE: With all certificate templates that are configured for the Subject Name of "Supply in the request" it is best to also configure the certificate templates Issuance Requirements setting "CA certificate manager approval" setting be checked.  There are known vulnerabilities if you let the certification authority issue the certificate automatically with this type of configuration.  Securing AD CS: Microsoft Defender for Identity's Sensor Unveiled - Microsoft Community Hub

10. Go to the Certification Authority snap-in, click on the Pending Requests container.
11. Find the certificate request of interest, and then right click on it, and select All Tasks, then click on Issue.
12. Go back to the Certificate snap-in in where the enrollment was done, and click on Certificates – Local Computer, or Certificates – Current User.
13. Then right click on the heading and select All Tasks and click on Automatically Enroll and Retrieve Certificates.
14. A new wizard is launched, click the Next button.
15. Select the certificate you are interested in and click on the Enroll button.
16. Click the Finish button.
    
    

Generating a CSR without using a certificate template. (Should only be used with Standalone or 3rd party CAs)

1. Launch the Certificate MMC for the user or computer (CertLM.msc/CertMgr.msc).
2. Expand out to Personal\Certificates right click on Certificates (or Personal if first certificate) container and select All Tasks, then select Advanced Operations, and then click on Create Custom Request.
3. Click the Next button.
4. Select the Enrollment Policy named Proceed without enrollment policy, and then click the Next button.
5. Select the Template type you wish to use. 
   1. CNG key – means you will use a Key Storage Provider (KSP). Supported starting with Windows Vista.
   2. Legacy key – means you will use a Cryptographic Service Provider (CSP). Supported starting with Windows 2000.
6. The Request format can be PKCS #10 however, some features do require CMC format.
7. Click the Next button.
8. Since this is not using a certificate template to configure anything about the certificate service request, more information does need to be specified. Click on the Details setting, and then click on the Properties button.
9. There are multiple tabs in here that can be specified. Again, this blog is not going to cover too much about what settings to configure as that is going to be based more on what you are issuing the certificate for.

• General: Can type in a friendly name for the certificate.  This will be displayed within the certificates MMC console.
• Subject: This is where you can add a name to not only the Subject field on the issued certificate, but also populate the Subject Alternative Name extension on the issued certificate.
• Extensions: This is where you fill in any certificate extensions that the issued certificate needs.  You can also mark certain extensions as Critical Extensions. The two common ones are Key Usage (KU) and Enhanced/Extended Key Usage (EKU).
• Private Key: This is where you can select the KSP/CSP to use for the private key as well as different key options (like Make Private Key Exportable) and Key Size. Also, the Request Hashing algorithm to be used for the CSR.

10. Once all the required tabs have been filled out, click the OK button.
11. Click the Next button.
12. Type in a file name for the CSR file, and then select the file format. For most CSRs it would be best to use Base64 these days instead of Binary.
13. Click the Finish button.
14. Now you can do whatever is needed with the generated CSR file.
15. Once the CER file has been gotten, you will then need to get the public certificate added back to the store in one of two ways.
    1. Use:

       CertReq.exe [-User or -Machine] -Accept CERFileName.cer 

NOTE: If this was for a user certificate use the "-User" switch, and if it was for a computer certificate then use the "-Machine" switch.

b. Import the public certificate into the store via the UI. Once you do this, the private key IS NOT associated with this new public certificate.  Run the following command to repair the store and get the two associated again.

CertUtil [-User] -RepairStore My [THUMBPRINT/*]

NOTE: CertUtil commands default to computer context. So, if you want to target the users certificate store you need to add the "-User" switch.  The personal store is programmatically known as the MY store, and that is why MY is referenced in the CertUtil command.  The asterisk will run the RepairStore command against all certificates in the MY store.

 Using Windows PowerShell to enroll for a certificate.

Yes, you can use Windows PowerShell to enroll for certificates and manage the certificate store.

First, we should cover how you can investigate the certificate store by using the CERT: drive as this is the path used when specifying the Certificate store Location (CertStoreLocation).

First you need to open a Windows PowerShell command Prompt.  Once this has been done, it is as simple as changing directory (CD) to CERT:.

PS C:\Users\Administrator> cd Cert:
PS Cert:\>

You treat this like a regular drive, and use common commands with it like: DIR, CD, MD, RD, Del.

Once you are in the drive, you can see that you first must decide whether you are going to go into the CurrentUser or LocalMachine certificate.

PS Cert:\> dir
Location   : CurrentUser
StoreNames : {TrustedPublisher, ClientAuthIssuer, Root, UserDS...}

Location   : LocalMachine
StoreNames : {AAD Token Issuer, AuthRoot, My, AddressBook...}

Then you can go into each of the stores within the location.

PS Cert:\> cd CurrentUser
PS Cert:\CurrentUser> dir
Name : TrustedPublisher
Name : ClientAuthIssuer
Name : Root
Name : UserDS
Name : CA
Name : ACRS
Name : REQUEST
Name : AuthRoot
Name : MSIEHistoryJournal
Name : TrustedPeople
Name : AddressBook
Name : Local NonRemovable Certificates
Name : My
Name : SmartCardRoot
Name : Trust
Name : Disallowed

PS Cert:\CurrentUser> cd my
PS Cert:\CurrentUser\my>

Now that moving around within the stores has been covered, the cmdlet named Get-Certificate is what can be used to enroll for certificates based on certificate templates.  This Windows PowerShell command supports the enrollment of certificates via the command line. It can also submit Requests (CSRs) that are sitting in the REQUEST store to the CA. However, I do not believe most would choose this method.

Conclusion

There are various methods to send a certificate or certificate service request (CSR file to a Microsoft Certification Authority nowadays without relying on the Certification Authority Web Enrollment pages. As stated, these pages are no longer under development or maintenance, so as time goes on these pages are going to become less and less usable whether it comes from Browser security changes, or changes to how Windows Systems enroll for certificates over time.

Rob "Web Enrollment pages is so 2000's" Greene