Requesting certificates via Certificate Enrollment Web Service (CES) fails with error code "ERROR_INTERNET_TIMEOUT".

Assume the following scenario:

  • You try to request a certificate via a Certificate Enrollment Web Service (CEP) from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • The operation fails with the following error message:
The operation timed out 0x80072ee2 (INet: 12002 ERROR_INTERNET_TIMEOUT)

The Certificate Enrollment Web Services (Certificate Enrollment Policy Web Service, CEP, and Certificate Enrollment Web Service, CES) enable the automatic request and renewal of certificates from a certification authority via a Web-based interface. This eliminates the need to contact the certification authority directly via Remote Procedure Call (RPC). For a more detailed description, see the article "Certificate request basics via Certificate Enrollment Web Services (CEP, CES)„.


Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Possible causes can be:

  • The CES server is offline.
  • The connection from the client to the CES server is prevented by a firewall. See article "Required firewall rules for the Certificate Enrollment Web Service (CES)„.
  • The certification authority takes too long to respond, e.g. if there are problems with the hardware security module (HSM).
  • The Internet Information Services (IIS) application pool on the CES server needs some loading time after restarting the web server service, which can also lead to a timeout on slow host systems - so it is best to try a second time.

Related links: