04).CERTIFICATE REQUESTSA CLIENT HAS THREE WAYS TO REQUEST...

exercise 12. - MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT exercise 12. - MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT exercise 12. - MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT
MCSE EXAM 70 293 PLANNING AND MAINTAINING A WINDOWS SERVER 2003 NETWORK INFRASTRUCTURE PHẦN 9 PPT
Exercise 12.04).

Certificate Requests

A client has three ways to request a certificate from a CA.The most common is auto-enrollment, and we’ll discuss its deployment shortly. A client can also request a certificate byuse of the Certificatessnap-in. Clicking Start | Run, typing in certmgr.msc andpressing Entercan launch the snap-in, shown in Figure 12.25. Note that the Certificatessnap-in does notappear in the Administrative Toolsfolder as the CertificationAuthoritysnap-in does after installing certificate services.

Figure 12.25

Certificates Snap-InNext, by expanding the Personalcontainer and right-clicking the Certificatescon-tainer beneath it, you can start the Certificate Request Wizardby choosing All Tasks |Request New Certificate. After the welcome screen, the first screen of the wizard enablesyou to choose the certificate type. Figure 12.26 shows you the available options.You canonly choose a type for which the receiving CA has a template.

Figure 12.26

Certificate Type Screen of the Certificate Request WizardIf you select the Advancedcheck box, the next screen (Figure 12.27) enables you tochoose the Cryptographic Service Provider (CSP) and key length.You can also mark thekey as exportable and/or enable strong private key encryption.

Figure 12.27

Cryptographic Service Provider Screen of the Certificate Request WizardContinuing with the advanced options, you can choose Browse the domaintochoose a CA to which you want to send the request (Figure 12.28).

Figure 12.28

Certification Authority Screen of the Certificate Request WizardFinally, the wizard finishes by prompting you for a friendly name and description forthe certificate.The last method for requesting a certificate is to use a Web browser on the clientmachine. Note that if you use this option, IIS must be installed on the CA. Exercise 12.03shows the steps for requesting a certificate using a client machine in this manner.

T

EST

D

AY

T

IPThe order of component installation can be important when dealing with CAs. Ifyou install certificate services beforeyou install IIS, a client will notbe able to con-nect as in the exercise below until you run the following from the command line:certutil –vroot. This establishes the virtual root directories necessary for Webenrollment. Note also that you must have selected the Web enrollment supportoption during the certificate Services installation procedure that you completed in