Microsoft Certificate Server enables anyone to create digital certificates for Web servers, clients, organizations, and others. Given that anyone can issue digital certificates, how can we be sure that the certificate owner is who they claim to be, and not, for example, a Trojan Web server?
In the process of issuing a digital certificate, the Certificate Authority (CA) validates the identity of the individual requesting the certificate and then signs the certificate with its own private key.
A client application—such as Microsoft Internet Explorer—will check the CA signature before accepting a certificate. If the CA signature is not valid, or if it comes from an unknown Certificate Authority, Microsoft Internet Explorer will warn the user by displaying a security message and may prevent the user from accepting the certificate.
If the certificates issued by your Certificate Server are to be trusted by applications such as Microsoft Internet Explorer, you must identify it as a Certificate Authority.
Certificate Server includes support for client certificate enrollment using Microsoft Internet Explorer version 3.0 or later and Netscape Navigator. For obtaining a client certificate with these browsers, you open the client authentication page and submit your identification information. After Certificate Server creates the client certificate, it will be returned to the browser, which installs the certificate on your client.
Servers that wish to perform authentication of clients must obtain and install a CA certificate provided by the CA that issues the client certificates. The CA certificate is needed by the server to validate the client certificates.
IIS uses CA certificates that are stored in the same location in the system registry as Microsoft Internet Explorer. The procedure for installing CA certificates for use by IIS is to load Microsoft Internet Explorer on the same machine and use it to install the CA certificates just as you would on a client machine.
Netscape Enterprise Server has a user interface for installing the CA certificate for the CA issuing a server certificate as part of the server certificate installation process.
Note Netscape FastTrack Server does not include a user interface to install new Microsoft Certificate Server CA certificates, so it cannot participate in client or server authentication with locally generated certificates.
Request reception. The certificate request is sent by the client to an intermediary application. The intermediary application formats it into a PKCS #10 format request and submits it to the Server Engine/iishelp/certsrv/concept_19.htm.
Request approval. The Server Engine calls the Policy Module, which queries request properties, decides whether the request is authorized or not, and sets optional certificate properties.
Certificate formation. If the request is approved, the Server Engine takes the request and builds a complete certificate.
Web Server Enrollment
The CA Certificate List Web page allows Web browsers to obtain and install a CA certificate by selecting it from the list of available certificates. This page is stored with CA certificates by Configuration wizard in the Shared Folder and the Default Web Location.
The Web Server Enrollment Page allows the administrator to submit a certificate request to the Certificate Server through a Web-based user interface. To do this, you open a PKCS #10 certificate request file (generated by Key Manager in IIS MMC Admin) using Notepad. Then, use the Clipboard to copy and paste the contents of the requested file into the text box on the enrollment page. After Certificate Server creates the certificate, it will be returned to the browser to save as a file. With IIS, you then run Key Manager and install the new certificate.
Each browser communicating with a Web server that uses a locally generated certificate must obtain and install the CA certificate for the CA that issued the server certificate. The browser uses the CA certificate to validate the server certificate.
Installing CA certificates into Microsoft Internet Explorer version 3.0 or later is accomplished by loading the Certificate Authority Certificate List Web page at the Shared Folder location.
Viewing Requests with the Filter
In the Certificate Server Queue Administration Form Viewer Web page, click Filter to enter filter criteria for viewing requests with the filter. Click Apply to apply the filter criteria, and then click List View to return to the Certificate Server Queue Administration Web page. Only requests that match the filter criteria displayed in the list view of the Web page.