Obtain client certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To obtain client certificates

  1. In your Web browser, open the form at https://servername/certsrv for requesting a certificate from your CA, where servername is the name of the Web server where the CA that you want to access is located.

  2. Click Request a certificate, click Advanced certificate requests, and then click Create and submit a request to this CA.

  3. Type the information requested and any other options required, including:

    • Select Mark keys as exportable.

    • Select Store certificate in the local computer certificate store.

  4. Click Submit, and then do one of the following:

    • If you see the Certificate Pending Web page, check on the pending certificate request.

    • If you see the Certificate Issued Web page, click Install this certificate.

  5. If you are finished using the Certificate Services Web pages, close Internet Explorer.

Once you have obtained the client certificate, verify that it is in your Personal store and is valid. To do this:

  1. Open the Certificates MMC snap-in.

  2. Locate the installed client certificate in the Personal store under Certificates (Local Computer), and then double-click the certificate to verify it.

Once you have ensured that the client certificate is valid, copy it to the MSMQ certificates store, as follows:

  1. Open the Certificates MMC snap-in.

  2. Locate the installed client certificate in the Personal store under Certificates (Local Computer).

    Where?

    • Console Root/Certificates (Local Computer)/Personal/Certificates
  3. Drag the certificate with your mouse to move it to the MSMQ\Personal store under Certificates - Service (Message Queuing) on Local Computer in the Certificates snap-in.

    Where?

    • Console Root/Certificates - Service (Message Queuing) on Local Computer/MSMQ\Personal/Certificates

Notes

  • To open the Certificates snap-in, click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, and then click Add. Select Certificates, and then click Add. Select Service account, click Next, select Local Computer (the computer this console is running on), and then click Next. In Service Account, select Message Queuing, and then click Finish. When you finish working in the MMC console, you can save the settings so that the custom MMC is available next time you open the console.

  • To check on a pending certificate request, in the CA Web page, click View the status of a pending certificate request. If you see pending certificates, select the certificate request you want to check, and then click Next. If the status is Still pending, you must wait for the administrator of the CA to issue the certificate. If the status is Issued, to install the certificate, click Install this certificate. If the status is Denied, contact the CA administrator for more information.

  • Note that before requesting a client certificate, you might need to make the CA Web page a trusted site for Internet Explorer. To do this, on the Tools menu in Internet Explorer, click Internet Options. On the Security tab, click Trusted Sites, and then click Sites. Uncheck Require server verification (https:) for all sites in the zone. Type https://servername, and then click Add.

  • It is not necessary to have the client certificate locally on the receiving computer, but the receiving computer must be able to access the client certificate.

  • This task can be performed only from a Message Queuing server installed on a Windows ServerĀ 2003 family domain controller.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Authentication for Message Queuing
Working with MMC console files