The policy of a certification authority (CA) determines the types of certificates a user can request and the options they can configure. If enabled, you can use the Advanced Certificate Request Web page to set the following options for each certificate requested:

  • Certificate template (from an enterprise CA) or Type of certificate needed (from a stand-alone CA). Indicates what applications the public key in the certificate can be used for, such as client authentication or e-mail.

  • Cryptographic service provider (CSP). A CSP is responsible for creating keys, destroying them, and using them to perform a variety of cryptographic operations. Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms, while others use hardware components, such as smart cards.

  • Key size. The length, in bits, of the public key on the certificate. In general, longer keys are more difficult for a malicious user to break than shorter keys.

  • Hash algorithm. A good hash algorithm makes it computationally infeasible to construct two independent inputs that have the same hash. Typical hash algorithms include MD2, MD4, MD5, and SHA-1.

  • Key usage. How the private key can be used. Exchange means that the private key can be used to enable the exchange of sensitive information. Signature means that the private key can be used only to create a digital signature. Both means that the key can be used for both exchange and signature functions.

  • Create new key set or Use existing key set. You can use an existing public and private key pair stored on your computer or create a new public and private key pair for a certificate.

  • Enable strong private key protection. When you enable strong private key protection, you will be prompted for a password every time the private key needs to be used.

  • Mark keys as exportable. When you mark keys as exportable, you can save the public key and the private key to a PKCS #12 file. This is useful if you change computers and want to move the key pair, or if you want to remove the key pair and secure them in another location.

  • Store certificates in the local computer certificate store. Select this option if the computer will need access to the private key associated with the certificate when other users are logged on. Select this option when requesting certificates intended to be issued to computers (such as Web servers) instead of certificates issued to users.

  • Request format. This section can be used to select either PKCS #10 or CMC formats. If you want to submit the request later, you can also select Save request to file.

Users or local Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To submit an advanced certificate request over the Web
  1. Open a Web browser.

  2. Open https://servername/certsrv, where servername is the name of the Web server hosting the CA Web enrollment pages.

  3. Click Request a certificate.

  4. Click Advanced certificate request.

  5. Click Create and submit a certificate request to this CA.

  6. Fill in any identifying information requested and any other options you require.

  7. Click Submit.

  8. Do one of the following:

    • If the Certificate Pending Web page appears, see Check on a Pending Certificate Request for the procedure to check on a pending certificate.

    • If the Certificate Issued Web page appears, click Install this certificate.

Additional considerations

  • User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

  • In order for a user to obtain a certificate by using Web enrollment, an administrator must set the appropriate permissions on the certificate templates on which the requested certificate is based.

Additional references


Table Of Contents