Requesting certificates

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Requesting certificates

Certificate requests must be made by the user, computer, or service that has access to the private key associated with the public key that will be part of the certificate. Depending upon the public key policies established by your system administrator, machines and services can automatically request certificates without user intervention. In addition, administrators can request smart card user certificates and smart card certificates for logging on to the system on behalf of other users by using their enrollment agent certificate.

There are two primary ways to explicitly request certificates in a Windows Server 2003 operating system.

Request certificates using the Certificate Request Wizard

When you request certificates from a Windows Server 2003 enterprise certification authority, you can use the Certificate Request Wizard located in the Certificates snap-in. This wizard guides you through the following steps:

  • Selecting the certification authority to which you will submit the request.

    Only enterprise certification authorities that are available in your Windows domain will be able to issue certificates using the Certificate Request Wizard.

  • Selecting the appropriate certificate template to use for the new certificate.

    Certificate templates are predefined configurations that provide common settings for the certificate request. Certificate templates describe the purpose for which the requested certificate is to be used. The list of certificate templates that is available to you is determined by the certificate types which the certification authority is configured to issue and whether you have been granted the access rights to the certificate template by the system administrator.

  • (Optional) Using Advanced Options in the Certificate Request Wizard to select the cryptographic service provider (CSP) for the key pair associated with the certificate request.

Only Basic EFS (Encrypting File System) and EFS Recovery Agent certificates have their associated private keys marked as available for export when you use the Certificate Request Wizard. If you want to request another type of certificate and have its private key available for export to a PKCS #12 file, you will need to use the Advanced request option on the Windows Server 2003 Certificate Services Web pages.

For instructions on opening and using the Certificate Request Wizard, see Request a certificate.

You can also use the Certificate Request Wizard to request a new certificate from an enterprise certification authority by using an existing key pair that is already associated with another certificate. For more information, see Request a certificate with the same key.

Request certificates using the Windows Server 2003 Certificate Services Web pages

Each certification authority that is installed on a computer running Windows Server 2003 has Web pages that users can access to submit basic and advanced certificate requests. By default, these pages are located at https://servername/certsrv, where servername is the name of the computer running Windows Server 2003.

When you request certificates from a Windows Server 2003 stand-alone certification authority, you use the Certificate Services Web pages. Web pages can also be used to request certificates from Windows Server 2003 enterprise certification authorities if you want to set optional request features that are not available in the Certificate Request Wizard, such as marking the keys as exportable, setting key length, choosing the hash algorithm, or saving the request to a PKCS #10 file.

For more information on using Certificate Services Web pages, see Using Windows Server 2003 Certificate Services Web pages.

Processing certificate requests

When you submit a certificate request to a Windows Server 2003 enterprise certification authority, it is immediately processed, as opposed to being set to "pending." The certificate request will either immediately fail or be granted. If it is granted, the certificate is issued, and you will be prompted to install it.

When you submit a certificate request to a Windows Server 2003 stand-alone certification authority, it will either be immediately processed or, by default, it will be considered pending until the administrator of the certification authority approves or rejects the request. In the case of a pending request, the certificate requester will have to use the Certificate Services Web pages to check the status of pending certificates. For more information, see Check on a pending certificate request to a Windows Server 2003 CA.

For more information about certificates and certification authorities, see Certificates and certification authorities.