What is a certificate authority (CA) and install enterprise CA on Windows Server 2016

11.4. User certificate request

Now that you have seen these certificate templates, as well as where they were stored, you understand how this wizard manages to retrieve this information (via Active Directory).
Check the "User" box and click on "Enroll".

Note : if you click on "Details", you will see that the user certificate can be used to encrypt data using the EFS file system (Encrypting File System), to secure your mailbox, as well as to authenticate you on servers supporting this connection method.

Enrollment of the certificate is very fast.
After successful certificate enrollment, click Finish.

If you click on "Details", you can click on the "Show Certificate" button to see the certificate.

In a "mmc" console, add the "Certificates" component for the user (as explained earlier) and go to the "Personal" certificate store.
As you can see, a certificate with your username is present with its associated key (as you can see thanks to its icon).

If you double click on it, you will see that this certificate is designed for :

• be able to encrypt data on disk (via the EFS file system mentioned above)
• protect electronic mail (e-mail)
• guarantee your identity to a remote computer (or a remote server)

You will also be able to see that it was issued to you (Issued to) by your certificate authority (Issued by).

At the bottom of the window, you can see that the private key associated with your certificate is present.

Important : never share this private key with anyone else.
This also means that if you export your certificate, you should NEVER send it in ".pfx" format (which contains the private key), but rather in ".cer" format (which only contains the public part of the certificate and NOT the private key).

If you go to the "Details" tab of this certificate, you will see that the hash algorithm used (sha256 in our case) is the same as the one used for the certificate from your CA.

In the subject field, you will see the full LDAP name of your user account in your Active Directory.

Again, you will see that this user certificate can be used for 3 things : Encryption File System (EFS), securing e-mails and its authentication.

If you select the "CRL Distribution Points" field, you will be able to see where your computer can check from if your certificate is still valid or if it has been revoked.

If you select the "Subject Alternative Name" field, you will be able to see the other format of your username.

If you go to the "Certification Path" tab, you will see that this user certificate (Administrator in this case) was issued by your certification authority (InformatiWeb CA in this case).
This certificate therefore depends on the trust granted to the parent certificate(s).

Since your computer trusts the root certification authority (InformatiWeb CA) that issued this certificate, it's considered valid.
On the other hand, if the certificate concerned or one of its parents becomes invalid (following a revocation of the certificate or the expiration of one of these), this certificate will not be valid.

If you want to display the information of a parent certificate, select it and click on : View Certificate.

The desired certificate (in our case, this parent certificate is that of our root certification authority) appears.

11.5. View the list of certificates issued

When your certification authority issues (delivers) certificates to servers, computers or users, you can find a copy of these in the "Issued Certificates" section of the "Certification Authority" console.

In our case, we find the certificate that we requested for our "Administrator" user account.
As you can see, the certificate template that was used is : User.

If you double click on it, you will be able to see the issued certificate.

Important : the private keys associated with the issued certificates are not present here.
These are only present on the server or computer that requested the desired certificate.