| Platform SDK: Certificate Enrollment Control |
The Certificate Enrollment Control is designed to make it easier to develop an application that must request that a certificate be issued to a named subject. It is designed to accept data in the form of a binary string (BSTR), from a web page or from either a Microsoft® Visual Basic® or C++ user interface. The output from the Certificate Enrollment Control is a PKCS #10 certificate request that can be sent on to a certification authority (CA), as shown in the following illustration.
Necessary information about the user (certificate subject) is collected by the User Interface, and is provided as a BSTR input to the Certificate Enrollment Control. The Certificate Enrollment Control generates the appropriate (signature or key exchange or both) key pair and then generates and signs a PKCS #10 certificate request, using the generated private key. The Certificate Enrollment Control then links the key pair to a dummy (temporary) certificate, which is stored in the request store until the issued certificate is returned from a certification authority. Next, the application sends the PKCS #10 to a CA.
If the CA approves the certificate request, the CA creates a certificate, that contains the public key. The CA also signs the certificate.
When the requested certificate is returned from the CA, the application passes the PKCS #7 message back to the Certificate Enrollment Control, where the certificate (or chain of certificates) is pulled from the PKCS #7 message. The certificate is stored in a certificate store, as are any other certificates in the chain of trust. The returned certificate is not modified in any way. Any certificate-aware application can now access this certificate from the store.