WCCE Introduction

This section details how to configure and consume the Windows Client Certificate Enrollment (WCCE) protocol.

Managing certificate lifecycle through the WCCE protocol involves up to three components:

Active Directory asset (domain controller, server, workstation, user) as WCCE Client;
WinHorizon as the Active Directory enrollment service;
Horizon as the WCCE proxy;

WCCE enrollment modes will be detailed later on.

The protocol paradigm can be described as follows: 'every Windows Active Directory member (machines, users) can use DCOM interfaces to interact with a CA to request certificate enrollment'.

The following schema is a simplified workflow of an WCCE enrollment: WCCE Enrollment Diagram The protocol is based on the notion of Active Directory membership and configuration. Active Directory clients (such as machines and users) having rights on Microsoft Certificate Templates can use Active Directory enrollment service through DCOM interface to request certificate enrollment.

Horizon supports different WCCE enrollment modes:

Entity: Certificate’s elements are built using Active Directory content;
Enrollment On Behalf of Others (EOBO): Certificate signing request (CSR) is signed by one/many Certificate Enrollment Agent(s);
Trust request: Certificate signature request (CSR) content is fully trust and certificate will be created using its content.

For Enrollment On Behalf of Others (EOBO) enrollment mode, it is possible to configure a whitelist of Authorized CAs trusted as issuers of enrollment agent certificates.

Windows official resources

EverTrust WCCE implementation is based on official WCCE documentation provided by Microsoft:

MS-WCCE: Windows Client Certificate Enrollment Protocol

Prerequisites

WinHorizon should be installed using WinHorizon installation guide;
WinHorizon and Active Directory should be configured using WinHorizon administration guide.