How to access the new Certificate Enrollment Web Services programmatically

Hi all,

Some time ago a customer of mine wanted to use the Windows Server 2008 R2 Certificate Enrollment Web Services, so they could send a PKCS#10 request and get the certificate back.

They followed the instructions in this whitepaper: Certificate Enrollment Web Services in Windows Server 2008 R2. They installed the CA and the web services, and they were able to enroll certs by using the windows GUI ("Request new certificate..." option in the certificate store).

Then they tried to consume those web services from a C# client. The issue was that they couldn't find the relevant method for enrollment.


Our "Request New Certificate..." GUI uses CertEnroll behind the scenes to access those web services, instead of attacking the web services directly.

Microsoft SDK contains a sample which uses the Certificate Enrollment Web Services through CertEnroll:
C:\Program Files\Microsoft SDKs\Windows\v7.1\Samples\security\x509 certificate enrollment\CSharp\enrollWithIX509EnrollmentHelper

From its readme.txt:
Windows 7 X509CertificateEnrollment C# Sample

Sample name: enrollWithIX509EnrollmentHelper

This sample demonstrates how to use the Windows 7 new http protocol to
enroll a certificate by calling the IX509EnrollmentHelper::AddEnrollmentServer
and IX509Enrollment2::Enroll methods. The purpose of the call to the
IX509EnrollmentHelper::AddEnrollmentServer is to cache the authentication
credential to enrollment server in Windows vault.

This sample does not support certificate authentication type


I hope this helps.



Alex (Alejandro Campos Magencio)