Certificate Server Usage Scenarios

Microsoft® Certificate Server is designed for web-based applications that require authentication and secure communications based on the Secure Sockets Layer (SSL) protocol. It can also support other certificate-based applications such as secure e-mail like Secure/Multipurpose Internet Mail Extensions (S/MIME), secure payment such as Secure Electronic Extensions (SET), and digital signatures like Microsoft AuthenticodeT. In the case of SSL, an organization can use the certificate server to issue both server and client certificates in a standard X.509 version 3.0 format. The organization may elect to issue all certificates from a single certificate server or use multiple certificate servers that are chained together in a Certificate Authority (CA) hierarchy.

At the most basic level, the role of Certificate Server is to receive a PKCS #10 certificate request, verify the information in the request and issue a corresponding X.509 certificate (or, possibly, certificate chain) in a PKCS #7 format. In the case of a user who wants to obtain a certificate for a web browser, a certificate request is typically generated by visiting a web site and enrolling for a certificate. To enroll, the user enters identifying information (for example, name, address, e-mail) into an HTML form, a key pair is generated and the public key is sent in a PKCS #10 to the CA. If all identifying information meets the CA criteria for granting a request, the Certificate Server generates the certificate which is downloaded to the user's browser.