Register Certificates for Message Queuing
Applies To: Windows Server 2008
You can use this procedure to register certificates for Message Queuing. A user certificate must be registered in Active Directory Domain Services before it can be used by Message Queuing for message authentication.
Membership in <Domain>\Domain Users, or equivalent, is the minimum required to complete this procedure. Review the details in "Additional considerations" in this topic.
To register certificates for Message Queuing
Click Start, point to Run, type compmgmt.msc, and press ENTER to display the Computer Management MMC console.
In the console tree, right-click Message Queuing.
Where?
- Computer Management/Services and Applications/Message Queuing
Click Properties.
In the Message Queuing Properties dialog box, click the User Certificate tab, and then under User certificates, click Register.
In the Personal Certificates dialog box, click a certificate, and then click Register.
To import a user certificate into the Personal store for the current user account
Open the Certificates snap-in for the current user account. Click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, select Certificates from the list of available snap-ins, and then click Add. Select My user account, click Finish, and then click OK.
Locate the Personal store under Certificates - Current User.
Where?
- Console Root/Certificates - Current User/Personal
Right-click the Personal store, point to All Tasks, and then click Import to start the Certificate Import Wizard.
Click Next, click Browse to specify the location of the file that contains the user certificate to be imported, click the file that contains the certificate and then click Open.
Click Next, type the password that was specified when the certificate was exported, select any other options desired and then click Next.
Verify that the certificate is being imported into the Personal certificate store, click Next, click Finish, and then click OK.
Additional considerations
Your computer must have access to Active Directory Domain Services to perform this task.
During setup, an internal user certificate is automatically created for you on the local computer and is registered in Active Directory Domain Services the first time you log on to the local computer in a domain provided your computer can communicate with a domain controller when you log on.
If no internal certificate exists, such as when the internal certificate is removed, this procedure creates a new internal certificate, which you can register. You can also use this procedure to register an external certificate after you import it.
If a certificate registered on the local computer is removed from a remote computer, the record of the certificate is removed from Active Directory Domain Services, but the certificate will still exist on the local computer.
By default, users have permission to register certificates for Message Queuing. However, if default user permissions are changed, this might affect your ability to register certificates. For registering certificates, the user object requires the Write Personal Information permission in Active Directory Domain Services.
Active Directory Domain Services sets a multi-valued attribute limit of approximately 800 user certificates for a specific user account. This limit is usually exceeded when obsolete user certificates have not been deleted from Active Directory Domain Services. If multiple certificates exist for a user account, only the latest is used, and obsolete certificates can be deleted. For instructions, see Remove Certificates for Message Queuing.