François 23.01.2020 11:00 (GMT+2) Add multiple Certificate Enrollment Service instances

Thank Vadims for your quick answer!

Perhaps I didn't fully understand this article but there are screenshots about IIS console with two CEP Applications ("ADPolicyProvider_CEP_UsernamePassword" and "ADPolicyProvider_CEP_Certificate") for example this one.


Vadims Podāns
Vadims Podāns 22.01.2020 21:03 (GMT+2) Add multiple Certificate Enrollment Service instances

It is correct: you cannot have multiple CEP (policy servers) instances on same server. Only multiple enrollment services (CES) are supported. And this blog post talks about CES, not CEP.

François 22.01.2020 19:55 (GMT+2) Add multiple Certificate Enrollment Service instances

Hello Vadims, here is a doc from Microsoft where it says that "Two CEP/CES instances that are configured on one server" :

As far as I tested it, these powershell commands used to configure the second instances of CEP/CES don't work for me (for now) :

Here the error I get :

PS ...> Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -SSLCertThumbprint "xxxxxxxxxxxxxxxxxxxxxxxxx"

Performing the operation "Install-AdcsEnrollmentPolicyWebService" on target "XXXXXXXX".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Install-AdcsEnrollmentPolicyWebService : Setup could not add this role service because it already exists in the default Web site. Please remove the existing role
service or select a different certification authority (CA) or authentication type. Cannot create a file when that file already exists. 0x800700b7 (WIN32/HTTP: 183

At line:1 char:1
+ Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificat ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Install-AdcsEnrollmentPolicyWebService], EnrollmentPolicyServiceSetupException
    + FullyQualifiedErrorId : Install,Microsoft.CertificateServices.Deployment.Commands.CEP.InstallAdcsEnrollmentPolicyWebService


Could you please tell me what is your opinion about this doc ? 

Thank you in advance !


For your information :

PS ...> certutil -config "<myCA>" -enrollmentserverurl
Enrollment Server Url[0]:
  Priority 1
  Authentication 4
    UserName -- 4
  AllowRenewalsOnly 0
  AllowKeyBasedRenewal 0
CertUtil: -enrollmentServerURL command completed successfully.


Vadims Podāns
Vadims Podāns 14.01.2020 14:10 (GMT+2) Certificate Policies extension – all you should know (part 2)

Try to delete it:

certutil -oid <OidDisplayName> delete


consult with help: certutil -oid -?

Rafal 14.01.2020 13:45 (GMT+2) Certificate Policies extension – all you should know (part 2)

By accident I have changed policy extention name, certutil -oid [number] [policy name]...I can't back to old name, please any advice?

No I see at View Obkect Identifiers:

Policy name        Object Identifier   Policy Type    

"bad name"          "number"            Application