Obtain Client Certificates
Updated: July 4, 2007
Applies To: Windows Server 2008
You can use this procedure to obtain client certificates for use with HTTPS messaging. Client certificates are used with HTTPS messaging for message authentication and message encryption.
Membership in a group that is added to the Certificate Managers role in the Certification Authority MMC snap-in or equivalent, is the minimum required to complete this procedure. By default, the <Domain>\Domain Admins and <Domain>\Enterprise Admins groups are added to the Certificate Managers role in the Certification Authority MMC snap-in.
To obtain client certificates
In your Web browser, open the form at http://<servername>/certsrv for requesting a certificate from your CA, where <servername> is the name of the Web server where the CA that you want to access is located.
Click Request a certificate, click advanced certificate request, and then click Create and submit a request to this CA.
Type the information requested and any other options required, including:
Select the User option under Certificate Template.
Select the option for Automatic key container name.
Select Mark keys as exportable.
Click Submit, and then do one of the following:
If you see the Certificate Issued Web page, click Install this certificate.
If you see the Certificate Pending Web page, request that the administrator of the CA issue the certificate from the Certification Authority MMC snap-in, then return to the certificate request web page and install the certificate.
If you are finished using the Certificate Services Web pages, close Internet Explorer.
To verify that the client certificate is valid and in the correct certificate store
Open the Certificates snap-in for the Local Computer account. Click Start, click Run, type mmc, and then click OK. On the File menu, click Add/Remove Snap-in, select Certificates from the list of available snap-ins, and then click Add. Select Computer account, click Next, select Local Computer (the computer this console is running on), click Finish, and then click OK.
Locate the installed client certificate in the Personal store under Certificates (Local Computer), and then double-click the certificate to verify it. Click the Certification Path tab of the Certificate dialog box to see the Certificate status.
To copy the certificate to the MSMQ certificates store
Open the Certificates snap-in for the Message Queuing service account in the same MMC console that you have opened the Certificates snap-in for Current User. On the File menu, click Add/Remove Snap-in, select Certificates from the list of available snap-ins, and then click Add. Select Service account, click Next, select Local Computer (the computer this console is running on), and then click Next. In Serviceaccount, select Message Queuing, click Finish and then click OK.
Locate the installed client certificate in the Personal store under Certificates (Local Computer).
- Console Root/Certificates (Local Computer)/Personal/Certificates
Press the CTRL key on your keyboard and drag the certificate with your mouse to copy it to the MSMQ\Personal store under Certificates - Service (Message Queuing) on Local Computer in the Certificates snap-in.
- Console Root/Certificates - Service (Message Queuing) on Local Computer/MSMQ\Personal
To check on a pending certificate request, in the CA Web page, click View the status of a pending certificate request. If you see pending certificates, select the certificate request you want to check, and then click Next. If the status is Still pending, you must wait for the administrator of the CA to issue the certificate. If the status is Issued, to install the certificate, click Install this certificate. If the status is Denied, contact the CA administrator for more information.
Note that before requesting a client certificate, you might need to make the CA web page a trusted site for Internet Explorer. To do this, on the Tools menu in Internet Explorer, click Internet Options. On the Security tab, click Trusted Sites, and then click Sites. Clear the Require server verification (https:) for all sites in the zone check box. Type http://<servername> (where <servername> is a placeholder for the server hosting the CA enrollment web pages), and then click Add.
It is not necessary to have the client certificate locally on the receiving computer, but the receiving computer must be able to access the client certificate.