Request a Certificate Using a PKCS #10 or PKCS #7 File

Applies To: Windows Server 2008

It is not always possible to submit a certificate request online to a certification authority. In these instances, you might still be able to submit a certificate request in the form of a PKCS #7 or PKCS #10 file. In general, you use a PKCS #10 file to submit a request for a new certificate and a PKCS #7 file to submit a request to renew an existing certificate.

Users or local Administrators are the minimum group memberships required to complete this procedure. Review the details in "Additional considerations" in this topic.

To request a certificate uses a PKCS #10 or PKCS #7 file

1. Open Internet Explorer.

2. In Internet Explorer, connect to https://servername/certsrv, where servername is the name of the Web server where the web pages you want to access are located.

3. Click Request a certificate, and then click advanced certificate request.

4. Click Submit a certificate request using a base-64-encoded CMC or PKCS #10 fileor submit a renewal request by using a base-64-encoded PKCS #7 file.

5. Do one of the following:

   • In Notepad, click File, click Open, select the PKCS #10 or PKCS #7 file, click Edit, click Select all, click Edit, and then click Copy. On the Web page, click in the Saved request scroll box. Click Edit and then click Paste to paste the contents of the certificate request into the scroll box.

   • Click Browse for a file to insert to locate the file you want to use for the certificate request. If you get a warning about the ActiveX control, verify that the source of the control is trustworthy. If it is trustworthy, click Yes to allow it to run, and then click the Browse button. After locating and selecting the file you want to use for the certificate request, click Open. On the Web page, click Read! to paste the contents of the file into the scroll box.

6. If you are connected to an enterprise CA, choose the certificate template you want to use.

7. If you have any attributes to add to the certificate request, enter them into Additional Attributes.

8. Click Submit.

9. Do one of the following:

   • If you see the Certificate Pending Web page, see Check on a Pending Certificate Request.

   • If you see the Certificate Issued Web page, click Download certificate chain. Choose to save the file to your hard disk, and then import the certificate into your certificate store. For the procedure to import a certificate, see Import a Certificate.

Additional considerations

• User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

• The component that enables Web enrollment in this version of Windows is different from the component that enables Web enrollment in Windows Server 2003 and Windows XP. Windows Server 2003 CA Web enrollment pages must be updated to support both this version of Windows and earlier clients. For more information, see the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=63591).

• If this is the first time you are accessing the Web server for a CA, you must add the server to the list of Trusted sites in Internet Explorer. Trusted sites can be added by selecting Internet Options on the Tools menu, clicking the Security tab, selecting the Trusted sites zone, and clicking Sites. In addition, the Web server for the CA must be configured to use HTTPS authentication.

• If you submit the request and immediately get a message asking you if you want to submit the request even though it does not contain a BEGIN or END tag, click OK.

Additional references

• Check on a Pending Certificate Request

• Import a Certificate

• Export a Certificate

• Save a Certificate Request in a File

• Request a Certificate Over the Web