Building a Certificate

To build a certificate, the following call order will occur:

  1. Certificate Authority (CA) initializes modules through calls to ICertPolicy and ICertExit (happens once on server initialization). The CA will initialize the policy and exit modules by calling ICertPolicy::Initialize and ICertExit::Initialize.
  2. Intermediary to CA through ICertConfig (happens once per intermediary init). The intermediary finds the needed configuration string by calling ICertConfig::GetConfig.
  3. Client to intermediary through unknown (happens once per request). The client sends a certificate request to the intermediary. This can be, for example, Microsoft® Internet Explorer sending a request through CertEnroll.dll to Microsoft Internet Information Server.
  4. Intermediary to CA through ICertRequest (happens once per request). The intermediary sends the certificate request to the CA through ICertRequest::Submit. In the case of Internet Information Server, this could be done through Active Server Page scripts.
  5. CA calls Policy Module through ICertPolicy (happens once per request). The CA notifies the policy module that a request has arrived by calling ICertPolicy::VerifyRequest. The policy module can indicate that the request is OK, the request is to be denied, or the request should be suspended. If the request is suspended, the admin must resubmit the request.
  6. Admin calls CA through ICertAdmin. If the request is suspended, the admin can resubmit the request.
  7. Policy Module modifies the certificate through ICertServerPolicy (optional). The policy module can examine the request and change the certificate by calling methods of ICertServerPolicy. The certificate is built at this point.
  8. CA calls Exit Module through ICertExit. If the exit module indicated that it is interested in seeing certificates issued (when the CA called ICertExit::Initialize), the CA will call ICertExit::Notify.
  9. Exit module calls the CA through ICertServerExit. The exit module can examine the request and the new certificate by calling methods of ICertServerExit.