Skip to main content

What is Windows Client Certificate Enrollment (WCCE)?

The Windows Client Certificate Enrollment (WCCE) protocol was built by Microsoft to perform a variety of tasks which integrate directly with widely used Active Directory services. This protocol allows users to manage their X.509 certificates and request tasks from a certificate authority, including full certificate management in regard to certificate enrollment, issuance, revocation, and deletion. In dealing with a PKI to manage these keys and certificates, this protocol also complies with X.509 recommendations and standards for storage and complete certificate lifecycle management.

In a typical non-Futurex environment structure, a computer will reach out to an active directory server to pull the certificates needed for user management. This leaves these certificates vulnerable to attack, as the certificates are more easily assessable to manipulation or fraud by outside parties or threatening technologies. If a certificate authority is compromised, the validity of every single certificate and every single item previously validated will be questioned. It is not an understatement to suggest that a poorly secured PKI is completely detrimental to the security of an organization.

In a Futurex environment, the Windows client will, again, request a certificate from its Windows server as expected. However, this is where the process differs. The windows server connects using PKI authentication, issuing software (PKCS12) or hardware (PKCS11 tokens) to complete the PKI structure. This allows the Windows Server to connect to the Host-API port. It will then forward those certificate requests to the KMES Series 3 HSM, which will validate that request within the boundaries of the cryptographically secure machine. The KMES Series 3 allows the creation of user groups that require only one login, creates users for the Windows Server in that group, assigns the TLS PKI certificates to the user for PKI authentication, and lastly, gives that user’s group use permission over the CA certificate(s) with the WCCE issuance policy. The KMES Series 3 issues the certificate, in addition to managing the entire lifecycle of the certificate, including generation, distribution, revocation, and expiration.


Another common use case of WCCE is autoenrollment. This is easily configured via the KMES Series 3. Futurex has developed a proxy installer which connects the windows server to the KMES Series 3, essentially enabling the autoenrollment WCCE command. Simply enable both the WCCE feature and command, and then configure an issuance policy for the specific type of certificate. The default of this issuance policy can be set to “autoenrollment” to allow enrollment of client computers under a windows domain. Joining a client on the domain will trigger autoenrollment and clients already on the domain already have a workstation certificate enrolled.

WCCE also handles enrollments that require approvals. This is done by creating a new PKI Template for certificates that require approvals and adding it to the issuance policy WCCE. The enrollment will be pending until it gets approved. Also, each certificate request is assigned a unique ID, under the approval group on the KMES. This ID is needed to check the enrollment state on the client machine. Then the administrator can approve the request via the KMES Series 3.

Securing the world's most sensitive data.
Request Demo ▸