Generating encryption keys and certificate requests
How you request and receive a certificate depends upon the policies and processes of the certification authority (CA) which is issuing the certificate. For example, some certification authorities have Web pages to which you can submit a request. Or, if you are in an organization that has deployed Active Directory and Certificate Services, you can use the Certificates snap-in to request a certificate if your computer is a member of a domain and you are authorized to request certificates.
In any case, when you generate a request for a new certificate, the information in that request is first passed from the requesting program to CryptoAPI . CryptoAPI will pass the proper data to a program known as a cryptographic service provider (CSP) that is installed on your computer or on a device accessible to your computer. If the CSP is software-based, it will generate a public key and a private key, often referred to as a key pair, on your computer. If the CSP is hardware-based, such as a smart card CSP, it will instruct a piece of hardware to generate the key pair.
After the keys are generated, a software CSP encrypts and then secures the private key in the registry on the computer. A smart card CSP stores the private key on a smart card and the smart card controls access to the key. The public key is sent to the certification authority, along with the certificate requester information. Once the CA verifies the certificate request according to its policies, it will use its own private key to create a digital signature in the certificate and then issue it to the requester. The certificate requester will then be presented with the certificate from the CA and the option to install it in the appropriate certificate store on the computer or hardware device.
For more information about keys and certificates, see Resources: Public key infrastructure