Submit an Advanced Certificate Request over the Web

  • Article

Applies To: Windows Server 2008

The policy of a certification authority (CA) determines the types of certificates a user can request and the options they can configure. If enabled, you can use the Advanced Certificate Request Web page to set the following options for each certificate requested:

  • Certificate template (from an enterprise CA) or Type of certificate needed (from a stand-alone CA). Indicates what applications the public key in the certificate can be used for, such as client authentication or e-mail.

  • Cryptographic service provider (CSP). A CSP is responsible for creating keys, destroying them, and using them to perform a variety of cryptographic operations. Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms, while others use hardware components, such as smart cards

  • Key size. The length, in bits, of the public key on the certificate. In general, longer keys are harder for a hostile user to break than shorter keys.

  • Hash algorithm. A good hash algorithm makes it computationally infeasible to construct two independent inputs that have the same hash. Typical hash algorithms include MD2, MD4, MD5, and SHA-1.

  • Key usage. How the private key can be used. Exchange means that the private key can be used to enable the exchange of sensitive information. Signature means that the private key can be used only to create a digital signature. Both means that the key can be used for both exchange and signature functions.

  • Create new key set or Use existing key set. You can use an existing public and private key pair stored on your computer or create a new public and private key pair for a certificate.

  • Enable strong private key protection. When you enable strong private key protection, you will be prompted for a password every time the private key needs to be used.

  • Mark keys as exportable. When you mark keys as exportable, you can save the public key and the private key to a PKCS #12 file. This is useful if you change computers and want to move the key pair, or if you want to remove the key pair and secure them in another location.

  • Store certificates in the local computer certificate store. Select this option if the computer will need access to the private key associated with the certificate when other users are logged on. Select this option when requesting certificates intended to be issued to computers (such as Web servers) instead of certificates issued to people.

  • Request format. This section can be used to select either PKCS#10 or CMC formats. If you want to submit the request later, you can also select Save request to file.

Important

Windows Server 2003 CA Web pages must be updated before users can access these Web pages by using this version of Windows.

Users or local Administrators are the minimum group memberships required to complete this procedure. Review the details in "Additional considerations" in this topic.

To submit an advanced certificate request over the Web

  1. Open Internet Explorer.

  2. In Internet Explorer, connect to https://servername/certsrv, where servername is the name of the Web server running Windows Server 2003 where the certification authority that you want to access is located.

  3. Click Request a certificate.

  4. Click advanced certificate request.

  5. Click Create and submit a certificate request to this CA.

  6. Fill in any identifying information requested and any other options you require.

  7. Click Submit.

  8. Do one of the following:

    • If you see the Certificate Pending Web page, see Check on a Pending Certificate Request for the procedure to check on a pending certificate.

    • If you see the Certificate Issued Web page, click Install this certificate.

  9. If you are finished using the Certificate Services Web pages, close Internet Explorer.

Additional considerations

  • User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

  • In order for a user to obtain a certificate using Web enrollment, an administrator must set the appropriate permissions on the certificate templates on which the requested certificate is based.

  • If this is the first time you are accessing the Web server for a CA, you must add the server to the list of Trusted sites in Internet Explorer. Trusted sites can be added by selecting Internet Options on the Tools menu, clicking the Security tab, selecting the Trusted sites zone, and clicking Sites. In addition, the Web server for the CA must be configured to use HTTPS authentication.

Additional references