Windows 2000 Certificate Services and Public Key Infrastructure

Previous Topic Next Topic

Requesting Certificates with the Certificate Request Wizard

You can request certificates for Windows 2000–based computers by using the Certificates console. When you right-click the Personal store for a user or for a computer and then click All Tasks and Request New Certificate, the Certificate Request wizard appears. You can use the Certificate Request wizard to request a certificate from an active enterprise CA. The Certificate Request wizard lists all certificate types that the user or computer is eligible to obtain. You can select a certificate type and submit it to any active CA that is configured to issue that type. If no CA is available to process certificate requests or the user or computer is not eligible for any certificate types, the Certificate Request wizard does not appear.

You have the option of selecting the Advanced check box on the first page of the Certificate Request wizard to choose advanced options. The advanced options enable you to select the CSP that is used with the certificate (as long as the CSP supports the cryptographic operations required for that certificate type). For user certificates only, users can also select strong private key protection as an advanced option. You also have the option of selecting the Enable strong private key check box, which means that the system prompts the user for permission before conducting cryptographic operations with the user's private key. Strong private key protection is available only for user certificates, not for computer certificates.

When you are choosing strong private key security, you can select either Medium security or High security. For Medium security, the system prompts the user for permission before using the private key, but it does not require a password. For High security, the user also must specify a password, which is used to protect the private key.

When you are requesting EFS user certificates, you can choose Enable strong private key; but EFS does not support a user interface, so users are never prompted for EFS user operations. However, strong private key protection works for recovery agent certificates. When you are requesting recovery agent certificates, consider choosing Enable strong private key and High security to provide an additional level of security for EFS recovery operations. Likewise, consider choosing High security to password protect the private keys for smart card enrollment agent certificates, code signing certificates, and trust list signing certificates, which might be misused to cause significant damage to your network resources.

When the CA issues the requested certificate, you can choose to view the certificate or install the certificate in the Personal store for the selected user or computer. Users also can request certificates from CAs with the Web Enrollment Support pages.

© 1985-2000 Microsoft Corporation. All rights reserved.