Assume the following scenario:
- A Certificate Authority Web Enrollment (CAWE) server is installed on the network.
- The role is installed on a separate server, not on the certification authority directly.
- A user attempts to request a certificate via the certification authority web enrollment or submit an existing certificate request to the certification authority.
- The request takes a very long time and finally fails with HTTP code 500 "Internal server error":
There is a problem with the resource you are looking for, and it cannot be displayed.
The certificate authority web registration is a very old feature from Windows 2000 times - and was last adapted with the release of Windows Server 2003. Accordingly, the code is old and potentially insecure. Likewise, the function supports No certificate templates with version 3 or newer - This means that certificate templates that use functions introduced with Windows Vista / Windows Server 2008 or newer cannot be used. It is recommended that you do not use the certificate authority web registration and instead request certificates via on-board resources or the PSCertificateEnrollment PowerShell module.
This error occurs when the certificate authority cannot connect to the CAWE server on TCP port 135.
Looking at the firewall logs, we see that during the request a connection is attempted from the certificate authority to the CAWE server, but the server discards it.
To resolve the problem, the following firewall rules should be set up for communication from the certification authority to the CAWE server, both in the local Windows firewall of the CAWE server and on any network firewall that may be present:
| Network protocol | Destination port | Protocol |
|---|---|---|
| TCP | 135 | RPC Endpoint Mapper |
| TCP | 49152-65535 | RPC dynamic ports |
English 
Deutsch