This is the gold guide I used for setting up my two-tier CA in our DMZ environment:
Install an Offline Root CA with an Enterprise Subordinate CA – Part 2
These few articles are also very good for set up the two tier CA:
https://www.petenetlive.com/KB/Article/0001309
Install and Configure Certificate Enrolment Policy Web Service
https://www.petenetlive.com/KB/Article/0001250
By default, Server Manager GUI only installs one authentication method for CEP/CES.
If you want to install additional authentication method, you have to install via Powershell:
Install-AdcsEnrollmentPolicyWebService -AuthenticationType Kerberos -SSLCertThumbprint “sslCertThumbPrint”
Install-AdcsEnrollmentPolicyWebService -AuthenticationType Username -SSLCertThumbprint “sslCertThumbPrint”
Install-AdcsEnrollmentPolicyWebService -AuthenticationType Username -SSLCertThumbprint -KeyBasedRenewal
https://docs.microsoft.com/en-us/powershell/module/adcsdeployment/install-adcsenrollmentpolicywebservice?view=win10-ps
If you are running more than one authentication method on the Enrollment Policy Web Service, you may see this error when you try to add the policy : ” The remote endpoint could not process the request. 0x803d000f (-2143485937) ” .
When you check the event log from your “Windows Logs” – ” Application”, you will something like this:
WebHost failed to process a request.
Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/63835064
Exception: System.ServiceModel.ServiceActivationException: The service ‘/_CES_UsernamePassword/service.svc' cannot be activated due to an exception during compilation. The exception message is: This collection already contains an address with scheme https. There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting ‘system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled' to true or specifying ‘system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters'.
Parameter name: item. —> System.ArgumentException: This collection already contains an address with scheme https. There can be at most one address per scheme in this collection. If your service is being hosted in IIS you can fix the problem by setting ‘system.serviceModel/serviceHostingEnvironment/multipleSiteBindingsEnabled' to true or specifying ‘system.serviceModel/serviceHostingEnvironment/baseAddressPrefixFilters'.
Parameter name: item
at System.ServiceModel.UriSchemeKeyedCollection.InsertItem(Int32 index, Uri item)
at System.Collections.Generic.SynchronizedCollection`1.Add(T item)
at System.ServiceModel.UriSchemeKeyedCollection..ctor(Uri[] addresses)
at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
at Microsoft.CertificateAuthority.Enrollment.DerivedFactory.CreateServiceHost(Type serviceType, Uri[] baseAddresses)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.CreateService(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity)
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
— End of inner exception stack trace —
at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity)
Process Name: w3wp
Process ID: 2288
The fix is to open your Notepad as admin mode, then modify your web.config file.
Add multipleSiteBindings under system.serviceModel like below:
<system.serviceModel>
<serviceHostingEnvironment multipleSiteBindingsEnabled=”true” />
For Username and password authentication, the file is under:
C:\Windows\systemdata\CES\yourCAname_CES_UsernamePassword\web.config
For Kerberos(Windows Authentication):
C:\Windows\systemdata\CEP\ADPolicyProvider_CEP_Kerberos
For Key based renewal:
C:\Windows\systemdata\CEP\KeyBasedRenewal_ADPolicyProvider_CEP_UsernamePassword
Powershell script to install certificate with username/password: