Hi all,

If you are creating certificate requests to enroll certificates programmatically and using a code like the following: How to create a certificate request with CertEnroll and .NET (C#), you may need to export the enrolled certificate after you get the response from the Certificate Authority.

You may export the certificate and its private key to a .PFX file by using this mehod:

IX509Enrollment::CreatePFX method

Or if you don't need the private key and you would like to get a .CER file instead, you may use this property:

IX509Enrollment::Certificate property

You may get that property as Base64 or Binary string (by using the appropriate EncodingType enumerator), and write it to a file with .CER extension.

Regards,

Alex (Alejandro Campos Magencio)

Hi all,

You may know already this white paper to configure the Certificate Enrollment Web Services:

Certificate Enrollment Web Services in Windows Server 2008 R2

"

This paper explains how certificate enrollment Web services work in Windows Server 2008 R2. It also provides deployment guidance for certificate enrollment Web services in new and existing Active Directory Certificate Services (AD CS) deployments.

"

I recently came across this other article which explains how to use those web services from machines outsideof our Windows Domain:

Enabling CEP and CES for enrolling non-domain joined computers for certificates

"

A non-domain joined computer on the Internet needs to be able to enroll for certificates from a Microsoft Enterprise Certification Authority. We are configuring the CEP/CES web services to interact with the Internet-based computer and this computer has no network connectivity to domain controllers or certification authorities behind the firewall.

"

Happy reading.

Regards,

Alex (Alejandro Campos Magencio)

Hi all,

One of my customers was creating certificate requests programmatically with CertEnroll and a code like the following: How to create a certificate request with CertEnroll and .NET (C#). Hewanted to set Friendly Name for the enrolled certificate. Friendly Name is a property (and not an extension of the certificate) that can be set on the enrollment object itself:

IX509Enrollment::CertificateFriendlyName property

You should set this property before calling Enroll method.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

Hi all,

The other day a customer of mine was creating certificate requests with a code like the following: How to create a certificate request with CertEnroll and .NET (C#). He wanted to set the certificate's Key Usage to Digital Signature instead of Key Encipherment. So he did something like this in his code:

 objPrivateKey.KeySpec = X509KeySpec.XCN_AT_SIGNATURE; 
 objPrivateKey.KeyUsage = X509PrivateKeyUsageFlags.XCN_NCRYPT_ALLOW_SIGNING_FLAG;

But even after doing that, the enrolled certificate showed Key Encipherment usage.The cause of this was their custom certificate template, which was configured for Key Encipherment instead of Signing, thus overriding the settings we were configuring in our code. We modified the template andthe code worked as expected.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)

Hi all,

The other day a customer of mine was creating certificate requests with a code like the following: How to create a certificate request with CertEnroll and .NET (C#). After he enrolled the certificates, he realized that when he tried to export them using the Certificates console he couldn't export their private key. In their custom certificate template they had specified that private key should be exportable.

It turned out they were not setting "objPrivateKey.ExportPolicy" to "X509PrivateKeyExportFlags.XCN_NCRYPT_ALLOW_EXPORT_FLAG" (IX509PrivateKey::ExportPolicy property) in their code.

I hope this helps.

Regards,

Alex (Alejandro Campos Magencio)