Creating a PKCS #10 Request

After a client is authenticated, Enroll.exe creates a base64-encoded PKCS #10 certificate request message and sends it to the Windows 2000 Certificate Server. The Windows CE enrollment client generates a public and private key pair if one does not already exist. Then the client generates and signs a PKCS #10 certificate request by using the private key.

The PKCS #10 certificate request contains the following information:

  • Subject Name. This name is often a placeholder, because a Microsoft enterprise certificate authority will populate the subjectname and subaltname information automatically based on the credentials of the authenticated user and the information stored in the Active Directory. When using a stand-alone certificate authority, you must specify the subject information in the request and then manually validate this information.
  • User public key. This public key corresponds to the requestor's private key.

To simplify the enrollment process, Microsoft Certificate Services supports Active Directory-based certificate templates that reduce the amount of information a user has to provide. Instead of filling out a number of fields and specifying several parameters, the user can use a template that specifies most of the parameters required for a certificate. Various default templates include certificates for Client Authentication, Server Authentication, and Code Signing. The user selects the desired certificate template and the enrollment options available in the enrollment configuration file.

For more information about the default templates, see the Windows 2000 Certificate Services article in Microsoft TechNet.

See Also

Enrolling for a Certificate | How to Enroll for a Certificate Using the Default Configuration | How to Enroll for a Certificate Using the Modified Configuration | Creating an Enrollment Environment | Configuring Enroll.exe

Last updated on Wednesday, April 13, 2005

© 2005 Microsoft Corporation. All rights reserved.