Share via

non-Domain joined computers Certificate Enrollment Web Service for certificate key-based renewal

Alex Wu 0 Reputation points
2025-03-31T09:48:39.8433333+00:00

Hi, everyone!

I have a problem with non-domain computer certificate auto-renewal and I've done a lot of search and troubleshooting and seems I'm stuck.

Refer to this kb https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/certificate-enrollment-certificate-key-based-renewal, I implemented my LAB.

  1. Domain - mylabA.local
  2. DC - Windows Server 2019
  3. Issuing CA - Windows Server 2019
  4. CEP/CES - Windows Server 2022 (server016) (I used the default port 443, 2 instances on the same server)
  5. non-Domain client - Windows 10
  6. no firewall/anti-virus software between them

Symptoms

  1. non-Domain client Windows 10 (Hereinafter referred to as Windows 10) can request a computer certificate using UserName/Password,
  2. Windows 10 can manually renew computer certificate
  3. Windows 10 can't auto-renew computer certificate, event log as show below User's image User's image User's image
    1. I tried to use common name, like "ces-enroll.mylabA.local" instead of "server016.mylabA.local" - failed.
    2. I tried to fix it by referring to "https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/error-0x80090022-nte-silent-context-cep-ces-autoenrollment-kbr-fails" - failed

Can anyone please advise?

Regards.

Windows for business | Windows Server | Directory services | Certificates and public key infrastructure (PKI)
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-04-01T09:07:07.15+00:00

    Hello,

    Thank you for posting in Microsoft Q&A.

    Based on the description, I understand your question is related to non-Domain joined computers Certificate Enrollment Web Service for certificate key-based renewal.

    Enable Workplace Join Debug logging by using Event Viewer

    To enable administrative logging in Windows 7 and later versions of Windows, follow these steps:

    Start Event Viewer.

    Go to one of the following locations, as appropriate for your operating system:

    Windows 7: Applications and Services Logs\Microsoft-WorkPlace Join

    Windows 8.x: Applications and Service Logs\Microsoft\Windows\Workplace Join\Admin

    Windows 10: Applications and Service Logs\Microsoft\Windows\Workplace Join\Admin

    Right-click the administrative log, and then click either the Enable Log or Disable Log value, as needed.

    To enable Debug logging in Windows 7 only, follow these steps:

    Start Event Viewer.

    Click View, and then click Show Analytic and Debug Logs.

    Browse to the following location in Windows 7:

    Applications and Services Logs\Microsoft-WorkPlace Join

    Right-click the Debug log, and then select either the Enable Log or Disable Log value, as needed.

    Network Capture

    Start Network Capture, and then reproduce the issue.

    Enable Capi2 logging

    For information about how to enable Capi2 logging, go to the following website:

    Enable CAPI2 event logging to troubleshoot PKI and SSL certificate issues

    This enables verbose logging in Applications and Services Logs/Microsoft/Windows/Capi2 in Event Viewer.

    SSL certificate troubleshooting

    To verify the Revocation Status against the certification authority (CA) database, run the following command:

    Certutil.exe -isvalid <Serialnumber>

    Note

    The <Serialnumber> placeholder is the serial number of the certificate that you want to verify, in hexadecimal format.

    Verify that a certificate was issued by a specific CA

    You can use the Certutil.exe tool to determine whether a certificate was issued by a specific CA. To verify the certificate, you must have the certificate that you want to verify and the CA certificate that you want to verify against as parameters. Use the following command syntax:

    Certutil.exe -verify CertFile CaCertFile

    This command requires that both the CA certificate and the issued certificate be PKCS#10 export files, not PKCS#7 certificate chains. When the command is run, it also verifies the revocation status of the end certificate. An error is returned if the certificate file doesn't contain CDP information, or if the URLs indicated in the CDP extension are unavailable.

    Note

    If you don't include the CACertFile parameter, the Certutil tool will construct a certificate chain by using all available certificates that are installed on the computer.

    Validate the validity and Revocation Status of a certificate

    You can manually validate all aspects of a certificate's validity, including the AIA and CDP extensions for a specific certificate, by using the following Certutil syntax:

    Certutil.exe -verify -urlfetch CertFile.crt

    To run this command, you must have an exported version of the certificate in a DER-encoded format. Certutil will verify only the basic certificate location pointer and the CRL(s) for the AIA and CDP locations. The Windows Server 2003 version of Certutil.exe in the Windows Server 2003 administration tools pack supports this functionality.

    Have a nice day.

    Best Regards,

    Molly

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.