15.6 Certificate retrieval

Certificate retrieval deals with the way certificates are retrieved from a repository by a PKI user. In Windows 2000 and Windows Server 2003, certificates can be retrieved manually from any location in which the CA publishes them: from AD, a Web site, or a file share.

Windows 2000, Windows XP, and Windows Server 2003 also provide automatic retrieval of CA certificates during certificate validation. CA certificate download locations are mentioned in the Authority Information Access (AIA) certificate extension.

An interesting way for PKI users to retrieve their personal certificates from AD and store them in their local certificate store is dragging them from the Active Directory User Object to the Personal container in the Certificates MMC snap-in.

Personal certificates issued by a stand-alone CA can be retrieved from the CA’s Web interface. If certificates are not downloaded from the CA’s Web site within 10 days, they are purged. This default behavior can be modified by editing the certdat.inc file. By modifying the “nPendingTimeoutDays” setting in the certdat.inc file (located in the c:\winnt\system32\ certsrv directory), you can set the amount of days before a certificate is purged from the stand-alone CA’s Web site.