The enrollCustomPKCS10 sample creates a custom PKCS #10 request, submits it to a stand-alone certification authority (CA), and installs the issued certificate in the certificate store. A stand-alone CA does not require Active Directory and does not use templates.


When you install the Microsoft Windows Software Development Kit (SDK), the sample is installed, by default, in the %ProgramFiles%\Microsoft SDKs\Windows\v7.0\Samples\Security\X509 Certificate Enrollment\VC\enrollCustomPKCS10 folder.


The enrollCustomPKCS10 sample:

  1. Processes the command line arguments. The command line should contain the X.500 certificate subject name, the email (RFC822) name, and an Enhanced Key Usage (EKU) object identifier (OID). For example, you can specify the following arguments to enroll user1@example.com:
    • Subject name: "CN=user1,DC=example,DC=com"
    • RFC822 name: user1@example.com
    • Client authentication EKU OID:
  2. Creates an IX509CertificateRequestPkcs10 object and initializes it for the end user by specifying the ContextUser value of the X509CertificateEnrollmentContext enumeration.
  3. Creates an IX500DistinguishedName object, uses the object to encode the subject name to a byte array, and adds the array to the PKCS #10 request object.
  4. Creates an IObjectId object, initializes it by using the EKU object identifier (OID) specified on the command line, creates an IObjectIds collection, adds the new IObjectId (EKU) object to the collection, uses the collection to initialize an IX509ExtensionEnhancedKeyUsage object and adds this object to the request.
  5. Creates an IAlternativeName object, initializes it by using the RFC822 name specified on the command line, Creates an IAlternativeNames collection, adds the new IAlternativeName (RFC822 name ) object to the collection, creates an IX509ExtensionAlternativeNames object and adds this object to the request.
  6. Creates an IX509Enrollment object, initializes it by using the IX509CertificateRequestPkcs10 object, and retrieves a string that contains a base64-encoded request.
  7. Creates an ICertConfig object and uses it to retrieve a string that contains the CA configuration.
  8. Creates a CryptoAPI ICertRequest2 object and uses it plus the strings that contain the CA configuration and the certificate request to submit the request to the CA.
  9. Checks the submission status and, if enrollment is successful, installs the certificate to the certificate store.

PKCS #10 Request

Using the Included Samples