Generating encryption keys and certificate requests

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Generating encryption keys and certificate requests

How you request and receive a certificate depends upon the policies and processes of the certification authority (CA) that issues the certificate. For example, some certification authorities have Web pages to which you can submit a reques or, if you are in an organization that has deployed Active Directory and Certificate Services, you can use the Certificates snap-in to request a certificate, if your computer is a member of a domain and you are authorized to request certificates.

In any case, when you generate a request for a new certificate, the information in that request is first passed from the requesting program to CryptoAPI. CryptoAPI will pass the proper data to a program known as a cryptographic service provider (CSP) that is installed on your computer or on a device that is accessible to your computer. If the CSP is software-based, it will generate a public key and a private key, often referred to as a key pair, on your computer. If the CSP is hardware-based, such as a smart card CSP, it will instruct a piece of hardware to generate the key pair.

After the keys are generated, a software CSP encrypts and then secures the private key. A smart card CSP stores the private key on a smart card and the smart card controls access to the key. The public key is sent to the certification authority, along with the certificate requester information. Once the CA verifies the certificate request according to its policies, it will use its own private key to create a digital signature in the certificate and then issue it to the requester. The certificate requester will then be presented with the certificate from the CA and the option to install it in the appropriate certificate store on the computer or hardware device.

For more information about keys and certificates, see Certificates Resources.

For more information, see Requesting certificates.