Certificate requests must be made by the user, computer, or service that has access to the private key associated with the public key that will be part of the certificate. Depending upon the public key policies established by your system administrator, machines and services can automatically request certificates without user intervention. In addition, administrators can request smart card user certificates and smart card certificates for logging on to the system on behalf of other users by using their enrollment agent certificate.
There are two primary ways to explicitly request certificates in Windows 2000.
When you request certificates from a Windows 2000 enterprise certification authority, you can use the Certificate Request wizard located in the Certificates snap-in. This wizard guides you through the following steps:
Only enterprise certification authorities that are available in your Windows domain will be able to issue certificates using the Certificate Request wizard.
Certificate templates are predefined configurations that provide common settings for the certificate request. Certificate templates describe the purpose for which the requested certificate is to be used. The list of certificate templates that is available to you is determined by the certificate types which the certification authority is configured to issue and whether you have been granted the access rights to the certificate template by the system administrator.
Only Basic EFS (encrypting file system) and EFS Recovery Agent certificates have their associated private keys marked as available for export when you use the Certificate Request wizard. If you want to request another type of certificate and have its private key available for export to a PKCS #12 file, you will need to use the Advanced request page on the Windows 2000 Certificate Services Web pages.
For instructions on opening and using the Certificate Request wizard, see To request a certificate
You can also use the Certificate Request wizard to request a new certificate from an enterprise certification authority by using an existing key pair that is already associated with another certificate. See To request a certificate with the same key
Each certification authority that is installed on a Windows 2000 server has Web pages that users can access to submit basic and advanced certificate requests. By default, these pages are located at http://servername/certsrv, where servername is the name of the Windows 2000 server hosting the CA.
When you request certificates from a Windows 2000 stand-alone certification authority, you use the Certificate Services Web pages. Web pages can also be used to request certificates from Windows 2000 enterprise certification authorities if you want to set optional request features that are not available in the Certificate Request wizard, such as marking the keys as exportable, setting key length, choosing the hash algorithm, or saving the request to a PKCS #10 file.
For more information on using Certificate Services Web pages, see Using Windows 2000 Certificate Services Web pages
When you submit a certificate request to a Windows 2000 enterprise certification authority, it is immediately processed, as opposed to being set to "pending." The certificate request will either immediately fail or be granted. If it is granted, the certificate is issued, and you will be prompted to install it.
When you submit a certificate request to a Windows 2000 stand-alone certification authority, it will either be immediately processed or, by default, it will be considered pending until the administrator of the certification authority approves or rejects the request. In the case of a pending request, the certificate requester will have to use the Certificate Services Web pages to check the status of pending certificates. See To check on a pending certificate request
For more information about certificates and certification authorities, see Certificates and certification authorities