Selecting an Enrollment and Renewal User Interface

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The user interface that you select for certificate request and approval processing depends on whether you choose automatic or manual certificate request and approval methods. If you decide to use autoenrollment for both certificate requests and certificate approval, you must use a minimal user interface.

However, if all or part of the enrollment process is manual, you must decide between using the Web Enrollment Support pages or the Certificate Request Wizard. The Web Enrollment Support pages are the easier interface for users to use. Users can perform the following tasks from the Web Enrollment Support pages:

  • Request and obtain a basic user certificate.

  • Request and obtain other types of certificates by using advanced options.

  • Request a certificate by using a certificate request file.

  • Renew certificates by using a certificate renewal request file.

  • Save a certificate request to a file.

  • Save the issued certificate to a file.

  • Check on pending certificate requests.

  • Retrieve a CA certificate.

  • Retrieve the latest certificate revocation list from a CA.

  • Request smart card certificates on behalf of other users (for use by trusted administrators).

However, administrators might prefer to use the Certificate Request and Renewal Wizard. You can start the wizard from the Certificates snap-in. Because the wizard is linked to the Certificates snap-in, you can also create custom snap-ins that you can distribute to certification authority administrators to whom you have delegated specific roles.

Unless an organization uses firewalls between one part of the organization and another, you can use the Certificates snap-in or the Web interface interchangeably. If a firewall exists between the CA and the requesting client, you must request certificates by means of the Web Enrollment Support pages or ensure that port 135 and a dynamic port above 1024 is open for MMC DCOM communication.

Whether you choose to use the Web Enrollment Support Pages or the Certificate Request and Renewal Wizard, you might need to prepare documentation that describes how users can request a user certificate, what users can expect after they request the certificate (for example, automatic enrollment or a delay pending administrator approval), and how they can use the certificates after they receive them.