The policy of a certification authority (CA) determines the types of certificates a user can request and the options they can configure. If enabled, you can use the Advanced Certificate Request Web page to set the following options for each certificate requested:
- Certificate template (from an
enterprise CA) or Type of certificate needed (from a
stand-alone CA). Indicates what applications the public key in the
certificate can be used for, such as client authentication or
- Cryptographic service provider (CSP).
A CSP is responsible for creating keys, destroying them, and using
them to perform a variety of cryptographic operations. Each CSP
provides a different implementation of the CryptoAPI. Some provide
stronger cryptographic algorithms, while others use hardware
components, such as smart cards.
- Key size. The length, in bits, of the
public key on the certificate. In general, longer keys are more
difficult for a malicious user to break than shorter keys.
- Hash algorithm. A good hash algorithm
makes it computationally infeasible to construct two independent
inputs that have the same hash. Typical hash algorithms include
MD2, MD4, MD5, and SHA-1.
- Key usage. How the private key can be
used. Exchange means that the private key can be used to
enable the exchange of sensitive information. Signature
means that the private key can be used only to create a digital
signature. Both means that the key can be used for both
exchange and signature functions.
- Create new key set or Use existing
key set. You can use an existing public and private key pair
stored on your computer or create a new public and private key pair
for a certificate.
- Enable strong private key protection.
When you enable strong private key protection, you will be prompted
for a password every time the private key needs to be used.
- Mark keys as exportable. When you mark
keys as exportable, you can save the public key and the private key
to a PKCS #12 file. This is useful if you change computers and
want to move the key pair, or if you want to remove the key pair
and secure them in another location.
- Store certificates in the local computer
certificate store. Select this option if the computer will need
access to the private key associated with the certificate when
other users are logged on. Select this option when requesting
certificates intended to be issued to computers (such as Web
servers) instead of certificates issued to users.
- Request format. This section can be
used to select either PKCS #10 or CMC formats. If you want to
submit the request later, you can also select Save request to
Users or local Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.
|To submit an advanced certificate request over the Web|
Open a Web browser.
Open https://servername/certsrv, where servername is the name of the Web server hosting the CA Web enrollment pages.
Click Request a certificate.
Click Advanced certificate request.
Click Create and submit a certificate request to this CA.
Fill in any identifying information requested and any other options you require.
Do one of the following:
- If the Certificate Pending Web page
appears, see Check on a Pending
Certificate Request for the procedure to check on a pending
- If the Certificate Issued Web page
appears, click Install this certificate.
- If the Certificate Pending Web page appears, see Check on a Pending Certificate Request for the procedure to check on a pending certificate.
- User certificates can be managed by the user
or by an administrator. Certificates issued to a computer or
service can only be managed by an administrator or user who has
been given the appropriate permissions.
- In order for a user to obtain a certificate
by using Web enrollment, an administrator must set the appropriate
permissions on the certificate templates on which the requested
certificate is based.