JSI Tip 4617. How do I get a certificate signed by an off-network root authority?

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q313477 contains:



Microsoft Certificate Services can provide digital certificates for client applications, users, and computers. A certification authority (CA) provides a measure of proof that the individual who is holding the signed certificate has been identified and verified by a trusted third party. The owner of the CA is the trusted third party.

An entity must complete a certificate request before the request can be signed by a CA. Examples of entities that require certificates include subordinate Certification Authority services, Web servers, and Web proxy servers that are acting on the behalf of a Web server. Certificates can also be used to establish credentials for Internet Protocol security (IPSec) communications.

Microsoft Certificate Services can provide signed certificates by direct request from the Certificate Services Web site by filling in a request form or by providing information that is contained in a base64 encoded PKCS #7. The latter option allows a great degree of flexibility and of security because the requestor can formulate the request and present it to a Root CA that is not directly connected to the network.

back to the top

Get a Certificate Signature from a Root Authority

To sign a certificate request, perform the following steps on the off-network Root authority:
  1. Start Internet Explorer .

  2. In the Address bar, type http:// localhost /certsrv/ , and then click Go or press ENTER.

  3. On the Welcome page, click the Request a certificate option, and then click Next .

  4. On the Choose Request Type page, click the Advanced Request option, and then click Next .

  5. On the Advanced Certificate Requests page, click the Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file option.

  6. If you are using the default Internet Explorer settings, you may see a dialog box that indicates that your Web browser settings prohibit this page from accessing the disk. Click OK to continue.

  7. On the Submit a Saved Request page, paste the certificate request information into the Base64 Encoded Certificate Request (PKCS #10 or #7) box. In the Certificate Template box, select the type of certificate that you require, and then click Submit .

  8. On the Certificate Issued page, click either DER encoded or Base 64 encoded depending on your requirements. You can now copy the certificate to a disk for a secure transfer.

back to the top

Approve a Certificate Request for a Stand-Alone Certificate Authority

For a stand-alone CA, you can configure it to defer issuance of a certificate until approval by a certificate services administrator. To approve the request and to retrieve the certificate:
  1. Click Start , point to Programs , point to Administrative Tools , and then click Certification Authority .

  2. In the console tree, click the CA Name folder, and then click Pending Requests .

  3. Right-click the request in the details pane, point to All Tasks , and then click Issue .

  4. In Internet Explorer, type http:// localhost /certsrv in the Address bar, and then click Go , or press ENTER.

  5. On the Welcome page, click Check on a pending certificate , and then click Next .

  6. On the Check on a Pending Certificate Request page, select the certificate request, and then click Next .

  7. On the Certificate Issued page, select the appropriate certificate type, and then click the certificate to download it.

back to the top


For additional information about how to configure a Windows 2000 Certificate Services Offline Root, click the article number below to view the article in the Microsoft Knowledge Base:
Q271386 How to Install a Windows 2000 Certificate Services Offline Root Certificate Authority
back to the top
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.