Microsoft® Certificate Server is designed for web-based applications that require authentication and secure communications based on the Secure Sockets Layer (SSL) protocol. It can also support other certificate-based applications such as secure e-mail like Secure/Multipurpose Internet Mail Extensions (S/MIME), secure payment such as Secure Electronic Extensions (SET), and digital signatures like Microsoft Authenticode™. In the case of SSL, an organization can use the certificate server to issue both server and client certificates in a standard X.509 version 3.0 format. The organization may elect to issue all certificates from a single certificate server or use multiple certificate servers that are chained together in a Certificate Authority (CA) hierarchy.
At the most basic level, the role of Certificate Server is to receive a PKCS #10 certificate request, verify the information in the request and issue a corresponding X.509 certificate (or, possibly, certificate chain) in a PKCS #7 format. In the case of a user who wants to obtain a certificate for a web browser, a certificate request is typically generated by visiting a web site and enrolling for a certificate. To enroll, the user enters identifying information (for example, name, address, e-mail) into an HTML form, a key pair is generated and the public key is sent in a PKCS #10 to the CA. If all identifying information meets the CA criteria for granting a request, the Certificate Server generates the certificate which is downloaded to the user's browser.