Creating Certificate Requests By Using Certificate Enrollment Control

  • Article

Applies To: Windows Server 2008

For a certificate to be issued from a certification authority (CA), typically, a key pair is first generated at the client computer comprising a public and private key. The public half of the key pair is then sent to a CA together with other information about the subject (for example, Subject name) in a request that allows the public key and the subject to be associated together. The CA then generates and signs the certificate containing the subject name and public key together with other information as required.

There are several different mechanisms that can generate certificate requests within the Windows® environment. These mechanisms include auto-enrollment, Certificate Manager in the Microsoft® Management Console (MMC), a Web interface, command-line utilities (CertReq), and others. In certain circumstances, however, the existing mechanisms for generating certificate requests may not meet the requirements of the environment. Then, it is necessary to generate custom requests using either scripts or code.

Windows Vista also introduces Cryptography Next Generation (CNG), which extends cryptographic support for newer advanced cryptographic algorithms including Elliptical Curve Cryptography (ECC), Elliptic Curve Digital Signature Algorithm (ECDSA), and Elliptic Curve Diffie-Hellman (ECDH) (at 256, 384, and 512 bits), Advanced Encryption Standard (AES), and Secure Hash Algorithm (SHA)-2 (at 256, 384, and 512 bits).

This white paper discusses the mechanism to create various certificate request types using the Windows Certificate Enrollment Control, which is natively part of the Windows Server® 2008 operating system. This white paper also looks at how requests can be produced using the advanced cryptographic algorithms.

The Certificate Enrollment Control replaces the older xenroll.dll that was used in earlier versions of Windows for creating certificate requests. The older xenroll.dll interface is not supported for Windows Vista or Windows Server 2008.

Sample code is provided, written in Microsoft Visual C#®, Microsoft Visual C++®, Microsoft Visual Basic® .NET (VB.NET), and Visual Basic Scripting Edition (VBScript). The purpose of the code samples in this white paper is to provide some useful information when the built-in Windows enrollment functionality is not sufficient to meet requirements.