In Internet Explorer, how to request cerficiate in MS Active Directory Certificate Service?
ACOS5 can be used to login to a domain server. You will need an Active X and CSP-enabled browser (Internet Explorer 6.0+ recommended) to enroll a certificate.
To be able to use your token/card for smart card-based PC logon, first configure your computer to be connected on a particular domain (your company domain for example). This domain server should also be configured to issue certificates. There are many sources in the internet for configuring your Active Directory Certificate Service, so it will no longer be discussed here.
First, let's configure your computer for smart card logon. Follow How to use cerficiates in MS Domain Logon to configure your PC to be able to see the domain server. If the previous link is not similar to your network set-up then you can ask your Network Administrator for some help.
Example below shows how to enroll a certificate in ACSDomain.acs.com.hk. Typically, certificate enrollment is done by an authorized personnel in-charge of implementing smart card logon within the domain (e.g. IT managers, Network Admin, etc.). An enrollment PC with authorized access must be used to enroll certificates on behalf of the members of the domain.
After you have successfully configured a computer for domain log-on, then you can follow the steps below for requesting certificates to your domain server:
Go to the Microsoft Certificate Service Page (URL maybe different depending on the configuration of the Network Admin) see Figure 18.
Figure 18: Microsoft Certificate Service Main Page.
Click on the "Request a certificate" link.
Click the "advanced certificate request" link (Figure 19).
Figure 19: Click advanced certificate request.
In the Advanced Certificate Request page. You can select which type of certificates you want to request. In this scenario, before you can request any type of certificate, you should first have an enrollment agent certificate (Figure 20).
Figure 20: Requesting an enrollment agent certificate.
If you already have an enrollment agent certificate then you can skip to this step. If you don't have an enrollment agent yet, then you can fill up the page as shown in Figure 20. Click the Submit button at the bottom of the page.
Wait until the server has responded, if the process is successful, you will be prompted to install your newly generated enrollment agent certificate (Figure 21).
Figure 21: Install the newly requested certificate.
Click "Install this certificate". Follow the pop-up direction. You will be prompted once your certificate has been successfully installed in your computer.
Once you have successfully requested an enrollment agent, go back to the Advanced Certificate Request page as shown in Figure 22.
Figure 22: Advanced Certificate Request main page
Select "Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station".
In the "Smart Card Certificate Enrollment Station" page, depending on the domain user that you want to enroll, choose the settings as shown below (Figure 23) and then click on the Enroll button. Note that the ACS CSP version might be different depending on the version of the package that you have installed.
Figure 23: Choose the settings as shown above.
Once a certificate has been successfully generated, you will be prompted to install it to your card/token (Figure 21) . Follow Step 7 to install the newly generated certificate to your card/token.