Update 14.03.2013: added workaround information
Consider the following scenario. You install and configure Certificate Enrollment Web Service (CES) against a Certification Authority (CA) that has spaces and other disallowed by HTML URL scheme characters in the certificate name. When you attempt to use the service for certificate enrollment, the following message appears:
STATUS: Failed. The endpoint address URL is invalid.
Additionally, 2 events are registered in the Application eventlog:
EventID=10000 from CertificationAuthorityClient-CertCli source:
Certificate Enrollment Server https://www.company.com/My Test CA-1_CES_Kerberos/service.svc/CES was not able to process the request: The endpoint address URL is invalid. 0x803d0020 (-2143485920)
EventID=13 from CertificateServicesClient-CertEnroll source:
Certificate enrollment for Local system failed to enroll for a OfflineOCSPResponseSigning certificate with request ID N/A from https://www.company.com/My Test CA-1_CES_Kerberos/service.svc/CES (The endpoint address URL is invalid. 0x803d0020 (-2143485920)).
This issue is caused because Certificate Enrollment Web Service (CES) URL is not properly escaped. Spaces and other special characters must be escaped in the HTTP URL.
For example, you configure CES to work with Certification Authority (CA) named “My Test CA-1” and use Kerberos for authentication. The following URL is generated by CES installer (host name may be different):
While the correct URL is:
Microsoft is informed about this issue. No bug fixes are available. See Workaround section for example steps to overcome the issue.
No resolution available.
You can use the following PowerShell scripts to:
1) Update URL in IIS server. The caller must be granted local Administrator permissions:
# import required assemblies and modules Add-Type -AssemblyName System.Web Import-Module WebAdministration # retrieve Certificate Enrollment Service applications on the server $Apps = Get-WebApplication | Where-Object {$_.physicalpath.StartsWith("$($env:windir)\SystemData\CES")} if (!$Apps) {return} # loop over each CES app foreach ($app in $Apps) { # retrieve application settings $webConfigStore = [Web.Configuration.WebConfigurationManager]::OpenWebConfiguration($app.path) # retireve CES URL $url = $webConfigStore.AppSettings.Settings["uri"].Value if (!$url) {return} # encode and write back new URL to application settings $webConfigStore.AppSettings.Settings["uri"].Value = [web.httputility]::UrlPathEncode($url) # save changes in IIS $webConfigStore.Save("Modified") } # restart IIS service Get-Service IISADMIN | Restart-Service
2) Update CES URL in Active Directory. The caller must be granted either Enterprise Admins permissions or delegated permissions to manage Public Key Infrastructure container:
Add-Type -AssemblyName System.Web # Connect to Enrollment Services container in configuration naming context $RootDSE = [ADSI]"LDAP://RootDSE" $ConfigContext = "CN=Enrollment Services,CN=Public Key Services,CN=Services," + $RootDSE.configurationNamingContext $adsi = [ADSI]"LDAP://$ConfigContext" $adsi.psbase.Children | ForEach-Object { if (!$_) {return} # prepare an array for new (fixed) URLs $entries = @() # enumerate all CES URLs for the current CA server $_."msPKI-Enrollment-Servers" | ForEach-Object { if (!$_) {return} # retrieve priority, authentication and renewal settings. They are not changed. $priority = $_[0].ToString() $authentication = $_[2].ToString() $RenewalOnly = $_[4].ToString() # extract current URL. We use regexp to grab only required part if ($_ -match "https.+service\.svc/CES") { $url = $matches[0] # encode extracted URL if necessary. If no encoding is required, the URL is not changed $url = [web.httputility]::UrlPathEncode($url) # build final entry for current CES entry and add it to array $entries += $priority + "`n" + $authentication + "`n" + $RenewalOnly + "`n" + $url } } # write encoded URLs back to Active Directory $_."msPKI-Enrollment-Servers" = $entries $_.SetInfo() }
For manual URL change, use the steps provided in the following TechNet wiki article: Implementing Certificate Enrollment Web Services in Windows Server® 2012 that uses an Issuing CA with spaces in the name.
HI
Am able to setup both CES and CEP servers. Am trying to authenticate to the CEP server using JAVA
which is in format of
https://
Does your Java application/client support MS-XCEP communication protocol?
Hello Vadmins Podans, has this issue now (August 2019) been fixed with a patch? if I am setting up CES on Server 2012R2 does this still apply if i have a CA with spaces in its name?
Post your comment:
Comments: