Red Hat CERTIFICATE SYSTEM 8.0 - ADMINISTRATION Admin Manual page 116

Chapter 4. Requesting, Enrolling, and Managing Certificates
Microsoft certificate services use a special request interface (ICertRequestD) to manage requests
within the domain.
ICertRequestD is a DCOM object. Windows uses components to manage APIs as if they are
objects. The intent of the component object model, or COM, is to enable processes to communicate
with each other and to generate objects dynamically. Each object is identified in the system registry,
and each component exposes itself through some kind of interface. It is possible for COM interfaces
to be shared over a network connection, rather than being on the same machine; these networked
objects are called distributed component object model, or DCOM, objects.
Every DCOM and COM interface is defined in the registry with a interface identifier (IID) and globally
unique identifier (GUID). For example, the IID for the COM object which handles certificate enrollment
(ICertEnroll) is 43F8F288-7A20-11D0-8F06-00C04FC295E1, so its registry entry is as follows:
HKEY_CLASSES_ROOT\Interface\43F8F288-7A20-11D0-8F06-00C04FC295E1
For Microsoft's auto enrollment process, an application (like a web server, a domain server, or the
management console) calls a control like ICertEnroll, and then the enroll object manages the
entire issuance process, from creating keys to generating and submitting the certificate request.
In a Windows domain, servers and applications poll Active Directory to get the list of available
certificate services. When the Auto Enrollment Proxy, is configured, its information is added to Active
Directory as one of the available certificate services. Then, when an enrollee (like a server) first asks
the domain controller for available services, Certificate System is included. The enrollee process then
sends certificate request, through the DCOM objects, to the proxy, which then forwards the request to
the Certificate System CA.
Figure 4.1. Using DCOM Objects for Enrollment
The Auto Enrollment Proxy is another Windows service running within the domain, and it has registry
entries which match the DCOM ID for the ICertRequestD object. The RPC service (RPCSS) on the
machine will perform necessary authorization checks to verify that the enrollee can access the proxy.
Any type of user of the domain can access the process: a person running the Microsoft Management
Console, a user running certreq, or a server or web service which initiates an automatic enrollment.
Regardless of the method of accessing the proxy, Microsoft's enrollment object will run through a
series of checks to authorize the request:
• That the requested certificate profile is supported. The PKCS#10 request contains an extension
which identifies the type of certificate being requested; the template can be mapped to a Certificate
System profile.
94