This article discusses how to use Certificate Services Web enrollment pages together with Windows Vista or Windows Server 2008.

Back to the top

Note The Windows Server 2008 Certificate Web Enrollment pages are available as a hotfix. These files support certificate Web enrollment from Server 2008 clients and from Vista clients (Certenroll). These files also support certificate Web enrollment from Windows XP clients and from Server 2003 clients (Xenroll). To install these pages, download the hotfix and then follow the instructions that are provided later in this article. For more information, visit the following Microsoft TechNet Web site: The following files are available for download from the Microsoft Download Center:

Update for x86 version of Windows Server 2003

Update for x64 version of Windows Server 2003

Update for Itanium version of Windows Server 2003

Certificate Services is available on computers that are running the following operating systems:

•	Microsoft Windows Server 2003, Standard Edition
•	Microsoft Windows Server 2003, Enterprise Edition
•	Microsoft Windows Server 2003, Datacenter Edition
•	Microsoft Windows Server 2008

Certificate Services provides customizable services to issue and to manage certificates for use with software security systems that use public key technology. Windows Certificate Services includes a set of certification authority (CA) Web pages. These Web pages provide a simple user interface to perform many of the common user tasks in the certification authority. These Web enrollment pages let you use a Web browser to connect to the certification authority. You can use the Web browser to perform common tasks, such as requesting a certificate, requesting the certification authority certificate, submitting a certificate request by using a PKCS #10 file, and so on.

Certificate enrollment Web pages are especially helpful in a scenario where the client computer cannot connect to the certification authority directly. You may experience this scenario in an environment where the client computer is not a member of the domain or where the certification authority is located in a different Active Directory directory service forest.

The certificate enrollment Web pages are included as an optional component in the original release version of Windows Server 2003, in Windows Server 2003 Service Pack 1 (SP1), and in Windows Server 2003 Service Pack 2 (SP2). These Web pages include a script that is based on the Xenroll ActiveX control. When you visit the certificate enrollment Web site, the client computer automatically downloads and installs the correct version of Xenroll if the correct version of Xenroll is not already installed.

Windows Vista and Windows Server 2008 do not use Xenroll. Instead, Windows Vista and Windows Server 2008 use a set of dual interface Component Object Model (COM) objects. This set of COM objects is known as CertEnroll. Xenroll is disabled in Windows Vista and in Windows Server 2008. Therefore, if you try to manually install Xenroll, the installation is unsuccessful.

Windows Server 2008 includes updated sample Web pages for Web-based certificate enrollment operations. These Web pages are updated to work together with the CertEnroll component in Windows Vista. Additionally, these Web pages work together with Xenroll.

Back to the top

Windows Server 2008 certificate enrollment Web pages

Windows Server 2008 includes updated sample Web pages for Web-based certificate enrollment operations. These Web pages are updated to work together with the CertEnroll component in Windows Vista. Additionally, these Web pages work together with Xenroll.

The certificate enrollment Web pages in Windows Server 2008 are designed to detect the client operating system and to then use the appropriate control. If the client computer is running Windows Server 2003 or Microsoft Windows XP, the certificate enrollment Web pages use Xenroll. If the client computer is running Windows Vista or Windows Server 2008, the certificate enrollment Web pages use CertEnroll.

Note The Windows Vista certificate enrollment client component has been enhanced over that of earlier versions of Windows. Some of the functionality that was formerly accessed by using Web pages is now included in the client component. Therefore, this functionality has been removed from the updated certificate enrollment Web pages. Functionality that has been removed includes the following:

•	The Enroll on Behalf of operation An enrollment agent uses this feature to enroll for a certificate on behalf of another user.
•	Computer certificate enrollment Administrative rights are required to request a computer certificate. In Windows Vista, Microsoft Internet Explorer does not use administrative rights to run. Therefore, the option to store a computer certificate in the computer store was removed from the Windows Server 2008 certificate enrollment pages.
•	The Xenroll .cab file If a client computer has an earlier version of Xenroll installed, the client is not prompted to upgrade to the latest version of Xenroll.
•	The whole range of locales for the Web pages Certain localized versions of the certificate enrollment Web pages may not be available until Windows Server 2008 is released.

Back to the top

Windows Server 2003 and Windows Server 2003 SP1 certificate enrollment Web pages

Windows Server 2003 and Windows Server 2003 SP1 certificate enrollment Web pages do not contain code to detect the certificate enrollment changes in Windows Vista and in Windows Server 2008. Therefore, these Web pages always try to use Xenroll. Therefore, when you try to perform a Web-based certificate enrollment operation from Windows Vista or from Windows Server 2008, the certificate enrollment operation is unsuccessful.

In this scenario, you receive the following message in the Web browser window:

Back to the top

Windows Server 2003 SP2 certificate enrollment Web pages

Windows Server 2003 SP2 certificate enrollment Web pages have been updated to detect the certificate enrollment changes in Windows Vista and in Windows Server 2008. However, because of the different release dates for Windows Server 2003 SP2, for Windows Vista, and for Windows Server 2008, Windows Server 2003 SP2 certificate enrollment Web pages do not recognize the CertEnroll interfaces. Therefore, if you visit the certificate enrollment Web site by using a computer that is running Windows Vista or Windows Server 2008, you receive a message that states that the Web pages must be updated.

Back to the top

Interoperability table

The following table illustrates the interoperability between the various versions of the certificate enrollment Web pages and the various Windows-based client computers.

	Windows Server 2003 and Windows Server 2003 SP1	Windows Server 2003 SP2	Windows Server 2008
Client computers that are earlier than Windows Vista	Supported	Supported	Supported but with reduced functionality
Windows Vista-based client computers	Unsuccessful together with a "Downloading ActiveX control" message	Unsuccessful together with a message that states that the Web pages must be updated	Supported

Important We recommend that you back up the %systemroot%\System32\Certsrv folder before you install the updated Web pages. The installation process causes updates and deletions to files in this folder that may cause you to lose customizations and additions. After you finish the backup process, follow the installation instructions on the download page for the update package.

Back to the top