5

Microsoft Certificate Web Services is a HTTPS web service (WS-Trust) that has no Kerberos dependency and can be used on a variety of devices. This is new in Windows 2008 and is separate from the browser based key request system that has existed in the product since Windows 2000.

The service is based on WCF and is accessed in the following URL format: https://server/server_CES_UsernamePassword/service.svc?wsdl

Question

  • How do internal Microsoft tools interact with this service? What methods are called? What does the SOAP look like?

  • How can a developer interact with this service in a meaningful way? I attempted to view the object directly in VS2010, but I didn't find any proxy objects that enabled any constructive action.

My thoughts are if I can't access the object in VS2012, I won't be able to use any other language or get Mac or Linux to enroll with a certificate as well.

Here is a sample XML file that is displayed (and consumed by svcutil).

<?xml version="1.0" encoding="UTF-8"?>
-<wsdl:definitions name="SecurityTokenService" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://tempuri.org/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" targetNamespace="http://tempuri.org/" xmlns:i0="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">-<wsp:Policy wsu:Id="WSHttpBinding_ISecurityTokenService_policy">-<wsp:ExactlyOne>-<wsp:All>-<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">-<wsp:Policy>-<sp:TransportToken>-<wsp:Policy><sp:HttpsToken RequireClientCertificate="false"/></wsp:Policy></sp:TransportToken>-<sp:AlgorithmSuite>-<wsp:Policy><sp:Basic256/></wsp:Policy></sp:AlgorithmSuite>-<sp:Layout>-<wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout><sp:IncludeTimestamp/></wsp:Policy></sp:TransportBinding>-<sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">-<wsp:Policy>-<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">-<wsp:Policy><sp:WssUsernameToken10/></wsp:Policy></sp:UsernameToken></wsp:Policy></sp:SignedSupportingTokens>-<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"><wsp:Policy/></sp:Wss11>-<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">-<wsp:Policy><sp:MustSupportIssuedTokens/><sp:RequireClientEntropy/><sp:RequireServerEntropy/></wsp:Policy></sp:Trust10><wsaw:UsingAddressing/></wsp:All></wsp:ExactlyOne></wsp:Policy><wsdl:import location="https://smimepol01aa.ad.freesmime.com/FreeSMIME Policy 01aa_CES_UsernamePassword/service.svc?wsdl=wsdl0" namespace="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"/><wsdl:types/>-<wsdl:binding name="WSHttpBinding_ISecurityTokenService" type="i0:ISecurityTokenService"><wsp:PolicyReference URI="#WSHttpBinding_ISecurityTokenService_policy"/><soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/></wsdl:binding>-<wsdl:service name="SecurityTokenService">-<wsdl:port name="WSHttpBinding_ISecurityTokenService" binding="tns:WSHttpBinding_ISecurityTokenService"><soap12:address location="https://smimepol01aa.ad.freesmime.com/FreeSMIME%20Policy%2001aa_CES_UsernamePassword/service.svc/CES"/>-<wsa10:EndpointReference><wsa10:Address>https://smimepol01aa.ad.freesmime.com/FreeSMIME%20Policy%2001aa_CES_UsernamePassword/service.svc/CES</wsa10:Address></wsa10:EndpointReference></wsdl:port></wsdl:service></wsdl:definitions>
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • I realize this post is 2 years old but if any one else is interested in this topic I have created a client in Java using Sun's Metro API, should work with CXF or spring: https://github.com/gjyoung1974/pki-clients/tree/master/ces_client_metro –  Oct 06 '15 at 18:52

1 Answers1

1

No idea how Microsoft internal tools interacts with the service. You'd have to ask them, and they won't tell you. A friend used to work in MSIT building said tools, and even he wouldn't tell me.

However, there should be a sample in the Windows SDK that gets installed here (source: Link):

C:\Program Files\Microsoft SDKs\Windows\v7.1\Samples\security\x509 certificate enrollment\CSharp\enrollWithIX509EnrollmentHelper

According to various sources its not the most in depth sample, so see here too: Link

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Steve
  • 15,155
  • 3
  • 37
  • 66