Chapter 4. Requesting, Enrolling, and Managing Certificates
4.1. About Enrolling and Renewing Certificates
- A user generates a certificate request.There are several methods of generating a certificate request, and it depends on the type of certificate which method is best. The
certutilcommand can be used to generate a certificate request for any certificate type, and then this request is submitted to the CA's end entities forms; this is most appropriate for server or device certificates. Some certificate profiles accept inputs that generate both the request and (when approved) the certificate; this is the easiest method for user certificates. Lastly, all Certificate System subsystems (CA, KRA, OCSP, TKS, and TPS) can generate certificate request for their subsystem certificates through their consoles.
- The certificate request is submitted to the CA using its relevant end-entity web forms.
- The request is verified by authenticating the entity which requested it and by confirming that the request meets the certificate profile rules which were used to submit it.
- The request is approved.
- The user retrieves the new certificate.