Building a Certificate

The order of calls in building a certificate is as follows:

  1. Certification authority (CA) initializes modules through calls to ICertPolicy and ICertExit (happens once on server initialization). The CA will initialize the policy and exit modules by calling ICertPolicy2::Initialize and ICertExit::Initialize.
  2. Intermediary calls the CA through ICertConfig (happens once per intermediary initialization). The intermediary finds the needed configuration string by calling ICertConfig::GetConfig.
  3. Client calls the intermediary through an interface specific to the intermediary (happens once per request). The client sends a certificate request to the intermediary. This can be, for example, Microsoft Internet Explorer sending a request through Certificate Enrollment Control to Microsoft Internet Information Services.
  4. Intermediary to CA through ICertRequest (happens once per request). The intermediary sends the certificate request to the CA through ICertRequest::Submit. In the case of Internet Information Services, this could be done through Active Server Pages scripts.
  5. The CA calls the Policy Module through the ICertPolicy interface (happens once per request). The CA notifies the policy module that a request has arrived by calling ICertPolicy::VerifyRequest. The policy module can examine the request and change the certificate by calling methods of the ICertServerPolicy interface. The policy module can then indicate that the request is OK (if so, the certificate is built at this point), the request is to be denied, or the request should be suspended.
  6. (Optional) Administrator calls the CA through the ICertAdmin interface. If the request is suspended, the administrator can resubmit or deny the request, or modify request attributes and extensions. Note that if the request is resubmitted, the Policy Module will have another opportunity to process the request (as a result of a call to ICertPolicy::VerifyRequest). The task of resubmitting or denying the request can be performed by means of the Certification Authority MMC snap-in, or another application that uses ICertAdmin.
  7. The CA calls the exit module through the ICertExit interface. If the exit module has indicated (when ICertExit::Initialize was called, in step 1) that it is interested in seeing certificates issued or requests held pending, the CA will call ICertExit::Notify.
  8. The exit module calls the CA through the ICertServerExit interface. The exit module can examine the request and the new certificate by calling methods of ICertServerExit.