Microsoft KB Archive/313477

= HOW TO: Get a Certificate Signed by an Off-Network Root Authority in Windows 2000 =

PSS ID Number: 313477

Article Last Modified on 10/21/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server

-



This article was previously published under Q313477



IN THIS TASK

 * SUMMARY
 * ** Get a Certificate Signature from a Root Authority
 * Approve a Certificate Request for a Stand-Alone Certificate Authority
 * REFERENCES



SUMMARY
Microsoft Certificate Services can provide digital certificates for client applications, users, and computers. A certification authority (CA) provides a measure of proof that the individual who is holding the signed certificate has been identified and verified by a trusted third party. The owner of the CA is the trusted third party.

An entity must complete a certificate request before the request can be signed by a CA. Examples of entities that require certificates include subordinate Certification Authority services, Web servers, and Web proxy servers that are acting on the behalf of a Web server. Certificates can also be used to establish credentials for Internet Protocol security (IPSec) communications.

Microsoft Certificate Services can provide signed certificates by direct request from the Certificate Services Web site by filling in a request form or by providing information that is contained in a base64 encoded PKCS #7. The latter option allows a great degree of flexibility and of security because the requestor can formulate the request and present it to a Root CA that is not directly connected to the network.

back to the top

Get a Certificate Signature from a Root Authority
To sign a certificate request, perform the following steps on the off-network Root authority:
 * 1) Start Internet Explorer.
 * 2) In the Address bar, type http:// /certsrv/, and then click Go or press ENTER.
 * 3) On the Welcome page, click the Request a certificate option, and then click Next.
 * 4) On the Choose Request Type page, click the Advanced Request option, and then click Next.
 * 5) On the Advanced Certificate Requests page, click the Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file option.
 * 6) If you are using the default Internet Explorer settings, you may see a dialog box that indicates that your Web browser settings prohibit this page from accessing the disk. Click OK to continue.
 * 7) On the Submit a Saved Request page, paste the certificate request information into the Base64 Encoded Certificate Request (PKCS #10 or #7) box. In the Certificate Template box, select the type of certificate that you require, and then click Submit.
 * 8) On the Certificate Issued page, click either DER encoded or Base 64 encoded depending on your requirements. You can now copy the certificate to a disk for a secure transfer.

back to the top

Approve a Certificate Request for a Stand-Alone Certificate Authority
For a stand-alone CA, you can configure it to defer issuance of a certificate until approval by a certificate services administrator. To approve the request and to retrieve the certificate:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.
 * 2) In the console tree, click the   folder, and then click Pending Requests.
 * 3) Right-click the request in the details pane, point to All Tasks, and then click Issue.
 * 4) In Internet Explorer, type http:// /certsrv in the Address bar, and then click Go, or press ENTER.
 * 5) On the Welcome page, click Check on a pending certificate, and then click Next.
 * 6) On the Check on a Pending Certificate Request page, select the certificate request, and then click Next.
 * 7) On the Certificate Issued page, select the appropriate certificate type, and then click the certificate to download it.

back to the top

