Windows Server 2012 AD CS: "The endpoint address URL is invalid"


When enrolling against a CA that has space characters in its name through Certificate Enrollment Web Services (CES), the client receives the error "The endpoint address URL is invalid."


This is a known issue with Windows Server 2012. When installing and configuring Certificate Enrollment Web Services (CES), the enrollment Universal Resource Locator (URL) is automatically generated based on the Certification Authority's (CA) name. If the CA name contains space characters, the spaces are not properly encoded when the URL is automatically generated, resulting in the space characters being transposed directly into the URL.


To work around this issue, delete the automatically generated CES URL and add a properly encoded URL. Use one of the following two methods to accomplish this task.

Method 1: Modify the CES URL in Internet Information Services (IIS) Manager
  1. Ensure that you are connected to the computer running the Certificate Enrollment Web Service server role.
  2. From Server Manager, click Tools, and then click the Internet Information Services (IIS) Manager.
  3. In the Connections pane, expand the web site that you want to manage.

    Note: If you see an Internet Information Services (IIS) Manager message that asks if you want to get started with Microsoft Web Platform, click Cancel.
  4. Expand Sites, and then expand the Default Web Site.
  5. Click the virtual application that corresponds to the Certificate Enrollment Web Service that you are running.
  6. In the center pane, double-click Application Settings.
  7. In Application Settings, double-click URI.
  8. In Edit Application Settings, under Value, enter %20 for every space in the uniform resource identifier value.
  9. Once you have a URI value that where all spaces have been replaced with %20, click OK.

Method 2: Modify the CES URL from the command line using APPCMD.EXE.

  1. Open a Command Prompt or Windows PowerShell as an administrator on the computer that is running the Certificate Enrollment Web Services.
  2. Change to the %systemroot%\system32\inetsrv directory, so you can use the appcmd utility.
  3. Run the command appcmd list apps to see a list of applications running on the computer. Identify the Certificate Enrollment Web Services application that you want to modify. This application should have CES in the APP name and is typically running in the applicationPool:WSEnrollmentServer.
  4. Run the command appcmd list config "Default Web Site/<appname>" /section:appsettings. Replace the <appname> with the name of the Certificate Enrollment Web Services application that you identified in the previous step.
  5. Run the command appcmd config "Default Web Site/<appname>" /section:appsettings /"[key='URI'].value:"<newURI>". Replace <appname> with the application name you identified in step 3. Replace <newURI> with the same URL that you saw in Step 4, except for each space in the URL, replace it with %20. See the following figure for an example of these commands.
  6. Restart the IIS server (iisreset).

Sample appcmd command


ID d'article : 2815697 - Dernière mise à jour : 27 avr. 2013 - Révision : 1