Chapter 4. Requesting, Enrolling, and Managing Certificates

Certificates are requested and used by end users. Although certificate enrollment and renewal are operations that are not limited to administrators, understanding the enrollment and renewal processes can make it easier for administrators to manage and create appropriate certificate profiles, as described in Section 2.2, “Setting up Certificate Profiles”, and to use fitting authentication methods (described in Chapter 8, Authentication for Enrolling Certificates) for each certificate type.
This chapter discusses requesting, receiving, and renewing certificates for use outside Certificate System. For information on requesting and renewing Certificate System subsystem certificates, see Chapter 16, Managing Subsystem Certificates.

4.1. About Enrolling and Renewing Certificates

Enrollment is the process for requesting and receiving a certificate. The mechanics for the enrollment process are slightly different depending on the type of certificate, the method for generating its key pair, and the method for generating and approving the certificate itself. Whatever the specific method, certificate enrollment, at a high level, has the same basic steps:
  1. A user generates a certificate request.
    There are several methods of generating a certificate request, and it depends on the type of certificate which method is best. The certutil command can be used to generate a certificate request for any certificate type, and then this request is submitted to the CA's end entities forms; this is most appropriate for server or device certificates. Some certificate profiles accept inputs that generate both the request and (when approved) the certificate; this is the easiest method for user certificates. Lastly, all Certificate System subsystems (CA, KRA, OCSP, TKS, and TPS) can generate certificate request for their subsystem certificates through their consoles.
  2. The certificate request is submitted to the CA using its relevant end-entity web forms.
  3. The request is verified by authenticating the entity which requested it and by confirming that the request meets the certificate profile rules which were used to submit it.
  4. The request is approved.
  5. The user retrieves the new certificate.
When the certificate reaches the end of its validity period, it can be renewed through the end user services pages. The renewal forms use the serial number or the certificate itself to identify the certificate entry in the CA databases. The renewal process then pulls up the original key, certificate request, and profile, and regenerates the certificate.