1 Introduction

The Windows Client Certificate Enrollment Protocol consists of a set of DCOM interfaces (as specified in [MS-DCOM]) that allow clients to request various services from a certification authority (CA). These services enable X.509 (as specified in [X509]) digital certificate enrollment, issuance, revocation, and property retrieval.

Active Directory can be used to store domain policies for certificate enrollment. An implementation of the protocol that is specified in this document might retrieve Active Directory objects (1) and attributes that define these enrollment policies. Because Active Directory is an independent component with its own protocols, the exact process for Active Directory discovery and objects retrieval is covered in [MS-ADTS].

Familiarity with public key infrastructure (PKI) concepts such as asymmetric and symmetric cryptography, digital certificates, and cryptographic key exchange is required for a complete understanding of this specification. In addition, a comprehensive understanding of the [X509] standard is required for a complete understanding of the protocol and its usage. For a comprehensive introduction to cryptography and PKI concepts, see [SCHNEIER]. PKI basics and certificate concepts are as specified in [X509]. For an introduction to certificate revocation lists (CRLs) and revocation concepts, see [MSFT-CRL].

Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.