You may know already this white paper to configure the Certificate Enrollment Web Services:
Certificate Enrollment Web Services in Windows Server 2008 R2
This paper explains how certificate enrollment Web services work in Windows Server 2008 R2. It also provides deployment guidance for certificate enrollment Web services in new and existing Active Directory Certificate Services (AD CS) deployments.
I recently came across this other article which explains how to use those web services from machines outside of our Windows Domain:
Enabling CEP and CES for enrolling non-domain joined computers for certificates
A non-domain joined computer on the Internet needs to be able to enroll for certificates from a Microsoft Enterprise Certification Authority. We are configuring the CEP/CES web services to interact with the Internet-based computer and this computer has no network connectivity to domain controllers or certification authorities behind the firewall.
Alex (Alejandro Campos Magencio)