Difference between CA Web Enrollment and Certificate Enrollment Web Service/Certificate Enrollment Policy Web Service

When installing the Certificate Authority in a domain joined server, you have the option of installing 3 other Certificate services:

1.CA Web Enrollment

2.Certificate Enrollment Web Service

3.Certificate Enrollment Policy Web Service

In addition you can also install 2 other services titled:

4. Network Device Enrollment service

5. On Line Responder

Let’s focus on the three first items above

1.CA Web Enrollment: Per Microsoft’s description:

Certification Authority (CA) Web Enrollment service was released in the Windows 2000 operating system. CA Web Enrollment allows client computers to submit PKCS #10 requests to the CA interactively through a web browser and Internet Information Services (IIS) application. For example, when this role service is installed, users in the contoso.com domain could enter http://ca.contoso.com/CertSrv  in their web browser and see an interactive web site that allows them to upload requests, download completed certificates, and download certificate revocation lists (CRLs).

Although CA Web Enrollment and Certificate Enrollment Web Services both use HTTPS, they are fundamentally different technologies. CA Web Enrollment provides a browser-based interactive method of requesting individual certificates that does not require specific client components or configuration. CA Web Enrollment only supports interactive requests that the requester creates and uploads manually through the web site. For example, if an administrator want to provision a certificate to an Apache Web server running the Linux operating system, a PKCS #10 request that was created by using OpenSSL could be uploaded. After the CA issued the request, the certificate could be downloaded by using the browser.

The Certificate Enrollment Policy Web Service and the Certificate Enrollment Web Service focus on automated certificate requests and provisioning by using the native client starting with the Windows 7 and Windows Server 2008 R2 operating systems. The end user does not have to make a request manually or interact with a web site.

Certificate Enrollment Web Services and CA Web Enrollment are complementary technologies. CA Web Enrollment supports certificate requests and a broad set of client operating systems. The Certificate Enrollment Web Services offer automated requests and certificate provisioning for client computers starting with the Windows 7 and Windows Server 2008 R2 operating systems.

source: https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx

Therefore, as explained on the last two paragraphs above indicate that:

2.Certificate Enrollment Web Service

3.Certificate Enrollment Policy Web Service

They both complement the CA Web enrollment and they focus on automating certificate request wheres the CA Web Enrollment is a manual, interactive  process via website using this web site format: http://ca.contoso.com/CertSrv     allowing uploading requests, downloading completed certificates, and downloading certificate revocation lists