February 5, 2002
Practical Aspects of Modern Cryptography
32
Cert
Client
Certificate Enrollment Flow
| A certificate enrollment
involves a user or client initiating a request that is then sent to a CA for
processing. As part of the request, the key pair is generated on the client
and a Certificate Template is selected. The request message is known as a PKCS#10. |
||
| Certificate Templates
- each CA will publish a CA object to the Active Directory at installation
time that contains information about the CA including what certificates it
can issue. |
||
| After the request is
successfully processed by the CA it is issued and returned to the user or
client in a message known as a PKCS#7. |
||
| Certificate Publishing
- publishing certificates to the user object stored in the Active Directory
is a feature of Windows 2000 to enable retrieval of a user’s S/MIME
certificate in order to encrypt data to the user without the user having to
have previously sent a signed message |
||
| All certificate requests are
authenticated by the CA’s policy module if the CA is an Enterprise CA. Standalone CAs do not authenticate
requests |
||