Enrollment endpoints outside the Windows domain require the manual configuration described in this section.

Configuring the enrollment policy in non-domain endpoints

In the enrollment endpoints outside the Windows Domain, add the enrollment policy as described in the following procedure.

To configure the enrollment policy in non-domain endpoints

  1. Log in to the non-domain endpoint.
  2. Run mmc.exe.
    The Microsoft Management Console appears.
  3. Select File > Add/Remove Snap-in.
    The Add/Remove Snap-ins dialog box appears.
  4. In the Available snap-ins list, select Certificates.
  5. Click Add.
    The Certificates snap-in dialog box appears.
  6. Select My user account.
  7. Click Finish to close the Certificates snap-in dialog box.
  8. Click OK to close the Add or Remove Snap-ins dialog box.
  9. In the tree view, expand Console Root > Certificates – Current User > Personal.
  10. Right-click Personal > All Tasks > Advanced Operations > Manage Enrollment Policies.
    The Manage Enrollment Policies dialog box appears.
  11. Click Add.
    The Certificate Enrollment Policy Server dialog box appears.
  12. In the Enter enrollment policy server URI field, enter the URL of the Certificate Enrollment Policy Web Service that you obtained earlier in Configuring Windows Domain Endpoints.
  13. In the Authentication Type drop-down list, select Username/Password.
  14. Click Validate Server.
  15. When prompted, authenticate with your Windows user name and password.
  16. Click Add to add the URL and close the Certificate Enrollment Policy Server dialog box.
  17. Click OK.

Importing the root CA certificate into non-domain endpoints

In the enrollment endpoints outside the Windows Domain, import the certificate of the CA that will issue certificates for the enrollment service.

To import the root CA certificate in non-domain endpoints

  1. Log in to the non-domain endpoint.
  2. Open a Command Prompt window. Select Start > Windows System > Command Prompt.

  3. Enter the following command.

    certutil -addstore Root <cert_path>

    Where <cert_path> is the full path and file name of the CA certificate file.

  4. Open the Certificate Manager snap-in. Select Start > Run, then enter certlm.msc.
    The certlm dialog box appears.
  5. In the tree view, expand Certificates – Local Computer > Trusted Root Certification Authorities > Certificates.
  6. In the content pane, verify that the root CA certificate you imported appears in the list of trusted root CA certificates.