Skip to main content

Planning the Enrolment and Distribution of Certificates

A request must first be made before a CA issues a certificate. In some cases, this is automatic (e.g., a smart card logon to a domain), while in other cases user interaction is required.

Run the Certificates MMC and select Certificates > Personal > All Tasks > Request New Certificate. You are then presented with a certificate template (i.e. policy) choice. These templates control the issuing of a certificate and may include additional choices in the dialog box if you requested additional functionality, such as a smart card. Lastly, you assign a friendly name and description. If the certificate is granted to a user, the user can cancel, install or view the certificate. This method of requesting a certificate works only with an Enterprise CA.

The other manual way of obtaining a certificate is via the Certificate Services Web Page, which is accessible through http://<servername>/certsrv, where <servername> is the name of the server hosting Certificate Services as shown in the Advanced Certificate Request dialog box. From here, you can choose to Request a certificate. This works with a Standalone or Enterprise CA.

An Enterprise CA will either grant or refuse to grant a certificate request. If it is granted, the user is asked to install the certificate. A Standalone CA will place the request in a pending state so that an administrator can deal with it later. One advantage of requesting a certificate from an Enterprise CA is that the user gets an automatic response as to the success of the request. You can check the status of a pending certificate, by typing http:// <servername>/certsrv and then selecting Check on a pending certificate. You will be presented with a list of certificates in one of these states: denied, issued or pending.

Next: Using Smart Cards for Authentication