Request Handling

Applies To: Windows Server 2008

The Request Handling tab defines the purpose of a certificate template, the supported cryptographic service providers (CSPs), minimum key length, exportability, autoenrollment settings, and whether strong private key protection should be required.

Certificate purpose

The certificate purpose defines the intended primary use of the certificate and can be one of four settings as described in the following table.

Setting Purpose

Encryption

Contains cryptographic keys for encryption and decryption.

Signature

Contains cryptographic keys for signing data only.

Signature and encryption

Covers all primary uses of a certificate's cryptographic key, including encryption of data, decryption of data, initial logon, or digitally signing data.

Signature and smart card logon

Allows for initial logon with a smart card, and to digitally sign data; it cannot be used for data encryption.

Note

Key archival is only possible if the certificate purpose is set to Encryptionor Signature and encryption.

Archive settings

Windows Server® 2008 and Windows Server 2003–based certification authorities (CAs) can archive a subject's keys in their databases when certificates are issued. If subjects lose their keys, the information can be retrieved from the database and securely provided to the subjects.

The key archival settings in the following table are defined in the Request Handling tab.

Setting Purpose

Archive subject's encryption private key

If the issuing CA is configured for key archival, the subject's private key will be archived.

Allow private key to be exported

The subject's private key can be exported for backup or transportation.

Deleting revoked or expired certificates (do not archive)

If a certificate is renewed due to expiration or revocation, the previously issued certificate is removed from the subject's certificate store. By default, the certificate is archived.

Include symmetric algorithms allowed by the subject

When the subject requests the certificate, a list of supported symmetric algorithms can be supplied by the subject. This option allows the issuing CA to include those algorithms in the certificate, even if they are not recognized or supported by that server.

User input settings

The Request Handling tab also allows several user input settings described in this table to be defined for a certificate template.

Setting Purpose

Enroll subject without requiring any user input

This option allows autoenrollment without any user interaction and is the default setting for both computer and user certificates.

Prompt the user during enrollment

By disabling this option, users do not have to provide any input for the installation of a certificate based on the certificate template.

Prompt the user during enrollment and require user input when the private key is used

This option enables the user to set a strong private key protection password on the user's private key when the key is generated and requires the user to use it whenever the certificate and private key are used.

Other version 3 request handling settings

The Request Handling tab for version 3 certificate templates has been updated to provide support for the new options available on the Cryptography tab, along with other changes. The options are listed in the following table.

Setting Purpose

Use advanced Symmetric algorithm to send the key to the CA

This option allows the administrator to choose the Advanced Encryption Standard (AES) algorithm to encrypt private keys while they are transferred to the CA for key archival. If this option is selected, the client will use AES-256 symmetric encryption (along with the CA's exchange certificate for asymmetric encryption) to send the private key to the CA for archival. If this option is not selected, the 3DES symmetric algorithm is used. Because key archival is intended for encryption keys (not signing keys), this option is enabled only when the certificate purpose is set to Encryption.

Add Read permissions to Network Service on the private key

For computer certificate templates, this option grants Read permissions to Network Service for the certificate's private key on the computer to which the certificate is issued. This enables services such as the Online Responder and Internet Information Services (IIS) to use certificates and keys issued to the computer on which they run. In previous versions of Windows, these permissions had to be configured manually.

For more information about options associated with version 3 certificate templates, see Cryptography.

Other version 2 request handling settings

In addition to key archival settings, you can define general options that affect all certificates based on version 2 certificate templates. The options are listed in the following table.

Setting Purpose

Minimum key size

This specifies the minimum size, in bits, of the key that will be generated for this certificate.

Cryptographic service providers

This is a list of cryptographic service providers (CSPs) that will be used to enroll certificates for the given template. Selecting one or more CSPs configures the certificate to only work with those CSPs. The CSP must be installed on the client computer for the CSP to be used during enrollment. If a specific CSP is chosen and not available on a client computer, enrollment will fail.

Additional references