| Server IP : 180.180.241.3 / Your IP : 216.73.216.252 Web Server : Microsoft-IIS/7.5 System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586 User : IUSR ( 0) PHP Version : 5.3.28 Disable Function : NONE MySQL : ON | cURL : ON | WGET : OFF | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : /Windows/Help/Windows/en-US/ |
Upload File : |
MZ����������������������������������������������������������@���PE��L��������������!
��������������������������@�����������������������0�����_ ��@����������������������������������������������������������������������������������������������������������������������������������������������������.rsrc��������������������������@��@.its�������� ��������������������@��@��������������������������������������������������������������������������������������������������������������������������������������������������������������0����������������� ��H���X��|����������|4���V�S�_�V�E�R�S�I�O�N�_�I�N�F�O�������������������������������������������������������S�t�r�i�n�g�F�i�l�e�I�n�f�o������0�4�0�9�0�4�b�0���b�!��F�i�l�e�V�e�r�s�i�o�n�����1�.�0�0�.�0�0� � � � � � � � � � � � � � � � � � � � � � � � � �����l�"��F�i�l�e�D�e�s�c�r�i�p�t�i�o�n�����C�o�m�p�i�l�e�d� �M�i�c�r�o�s�o�f�t� �H�e�l�p� �2�.�0� �T�i�t�l�e���B���F�i�l�e�S�t�a�m�p�����7�3�2�1�C�A�B�8�0�1�C�A�0�4�1�F���4�����J���C�o�m�p�i�l�e�r�V�e�r�s�i�o�n�����2�.�5�.�7�1�2�1�0�.�0���8�5�7�9�����V���C�o�m�p�i�l�e�D�a�t�e�����2�0�0�9�-�0�7�-�1�4�T�0�1�:�0�7�:�2�5��� � � � � � �����>���T�o�p�i�c�C�o�u�n�t���1�5�1���0�0�0�0�0�0�0�0�0�0�0�0������A��L�e�g�a�l�C�o�p�y�r�i�g�h�t���� �2�0�0�5� �M�i�c�r�o�s�o�f�t� �C�o�r�p�o�r�a�t�i�o�n�.� �A�l�l� �r�i�g�h�t�s� �r�e�s�e�r�v�e�d�.���C�C�C�C�C�C�C�C�C�C�C�C�C�����D����V�a�r�F�i�l�e�I�n�f�o�����$����T�r�a�n�s�l�a�t�i�o�n����� ��������������������������������������������ti����!s����
ITOLITLS���(���������X쌡^�
V`������������������� ������������ ������x��������������������������������������������������������� ��������������������|�������������������������������������������������������������������������CAOL���P���HH��C��� �����������������������ITSF��� ������#������,$s ���������������������-Y쌡^�
VY쌡^�
VIFCM����������������AOLL��������������������������|�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������IFCM���� ������������AOLLL �������������������������/���/$FXFtiAttribute/���/$FXFtiAttribute/BTREE$/$FXFtiAttribute/DATA��/$FXFtiAttribute/PROPERTY<N
/$FXFtiMain/���/$FXFtiMain/BTREEK/$FXFtiMain/DATAcs/$FXFtiMain/PROPERTYVN/$Index/$ATTRNAMEJ\/$Index/$PROPBAGT/$Index/$STRINGS
/$Index/$SYSTEM<
/$Index/$TOC/���/$Index/$TOC/$certmgr�@/$Index/$TOPICATTR
@/$Index/$TOPICS�/$Index/$URLSTR @/$Index/$URLTBL`8/$Index/$VTAIDX&T/$Index/AssetId/���/$Index/AssetId/$BL0z�
/$Index/AssetId/$LEAF_COUNTSz/$Index/AssetId/$LEAVES
� /$OBJINST@
/assets/���0/assets/0b14470f-97ed-43b5-8b3e-717ed832e2b3.xml�tY0/assets/0cd73166-999e-4d69-8c99-41a510cc9c6d.xml�MX0/assets/0d71e266-5cfd-4b01-ac32-81021d37875f.xml�%0/assets/0e5718dd-4e97-4618-8b06-8b6ff5a264d1.xml�@)0/assets/13391cab-ada5-43f8-9f5d-b61e0abdc66d.xml�iN0/assets/1403e7d1-3200-41f2-8d69-be89f4f6f140.xml�7#0/assets/145ad383-de56-457f-9211-ffcff80f16b6.xml�Z%0/assets/18bc3367-d4b1-4309-b9ed-db68dcb817bb.xml�}0/assets/1fd54ffb-ab16-4d6e-aeb0-a973532c8e43.xml�|{0/assets/211b51a2-999a-43c0-86ac-92a32cbe1dd2.xml�wM0/assets/219dca64-eb32-4f48-8083-8a6c3dbaf237.xml�D0/assets/23654ad1-27f9-4a60-9a8a-d99728764562.xml�U0/assets/23855705-69c5-4d71-90f5-8f6718df840c.xml�[K0/assets/23fccc11-eb65-46fe-a063-055ce972acf2.xml�&r0/assets/257877c3-707d-4681-8648-28dbc6d36cfb.xml�0/assets/25789028-bfc8-48f5-9432-82e74ea48d59.xml�0/assets/262b06b9-4142-4c98-a6bc-95d3a4cecb51.xml�
30/assets/26af007f-65e7-4f2b-a154-2bdcc7af2657.xml�QP0/assets/2e9e43a1-5201-41c3-9cdc-4da37713d37a.xml�!:0/assets/31cae6ad-5e3b-4eee-923e-11683014c320.xml�[0/assets/34bc986a-a55c-4d4d-a073-cfad924b1187.xml�t90/assets/355962c2-4f6b-4cbd-ab00-6e7ee4dddc16.xml�-q0/assets/3c7f161a-96d9-4ed1-9050-5279bd6a0c49.xml�
J0/assets/3de3286a-efd8-4afc-8878-7a034355d90e.xml�hD0/assets/3eefd65f-6591-4062-8759-4fd208e9b9d1.xml�,A0/assets/3f7ef00a-b1af-4d5e-af78-cd8df001bad8.xml�m!0/assets/47f4da34-b4e8-45b3-80be-89521b08ec7c.xml�L0/assets/4a9be825-e97d-4b0c-8b7b-a1f74a816619.xml�Z(0/assets/4ecbce82-4636-44a0-93ca-b664a186d22e.xml�,0/assets/4f9464fd-0968-4ce2-abc9-449008403225.xml�.0/assets/532adf18-b09e-416b-a966-ca74ee11aa38.xml�EM0/assets/58107cc5-aedf-4212-9568-2dfe1a0b1452.xml�
0/assets/5d411321-7cc4-4027-8672-e011e2fb4d73.xml�.<0/assets/61832e1a-ca90-4dd9-96b1-c647c0d17453.xml�jR0/assets/61e3ea01-7b38-4ba8-a201-40ce9ba33f2c.xml�<|0/assets/64541c74-8112-4496-9721-1ddabcae5f4b.xml�80/assets/645cc20c-215c-4a8e-b624-40c8cbb3e1b5.xml�?%0/assets/64e30de7-088f-4e77-9a69-d2b940b1777f.xml�dy0/assets/66730f06-9190-4eb1-bf08-88c79f4a0a23.xml�]90/assets/67ba15f1-5648-480d-9886-a56a3e622d99.xml�f0/assets/67ca7b60-9ba5-401b-876e-fe8ee384b9ec.xml�|
0/assets/68340bf6-9412-4a41-bb36-2ccc8c1ab5cf.xml�0/assets/68354d8a-1cc2-491b-8352-053e133dcd2b.xml� /0/assets/69631784-438c-435a-be35-5ee1e1353c4d.xml�NX0/assets/6b8b6b13-b4be-4a40-a696-352b40953286.xml�&90/assets/6f574ad3-c4e6-431c-b668-448e9111253b.xml�_0/assets/70588c7b-c9ba-425f-84e9-d4fe44f6e294.xml�f
0/assets/70e5d64c-91ce-4355-a9c9-115fe0866911.xml�r0/assets/74f6e625-e656-41ff-af86-96eb2950c4c7.xml�u0/assets/7f0267d1-a209-42fd-bdcb-3bf006f7d6c1.xml�xp0/assets/870fd126-5c68-4ecb-ab8a-a255370e9d9f.xml�h0/assets/8e6b017b-1658-4171-a18c-3d10fefed477.xml�|Z0/assets/92ad94a0-3eeb-4916-8fbe-05b803affa3e.xml�V$0/assets/934bccbb-a2f1-44b0-b725-e410ab613f59.xml�z0/assets/93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1.xml�0/assets/953d9851-ad11-46ac-82ad-769405c4a6ef.xml� 0/assets/964edfbd-d935-4352-b054-5e3dfe6c547e.xml�!40/assets/97af909c-e2f0-4a7e-8203-435aa9784623.xml�U0/assets/9936f79e-567a-4a65-8b23-43b7d35e9122.xml�V
0/assets/b776e5d1-307b-42f2-b2d1-c6dce2a49c9b.xml�a
0/assets/b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1.xml�}.0/assets/ba0c1c06-47d1-4038-9189-294508e72c3b.xml�+;0/assets/ba6554ca-f33f-4dd3-beff-bd602018dcc5.xml�fI0/assets/bac506b2-57be-45c2-bdf6-1f976eeeb475.xml�/v0/assets/bb23ebf2-6cd7-404c-908b-c30fce0dc8a6.xml�%q0/assets/bb6d72af-520d-4b1c-a8b7-7b08c58220d4.xml�0/assets/c29aefb0-902d-4c47-8408-a91d1e0978e0.xml�0/assets/c2c2b497-274e-490f-935e-e8046f00e57d.xml�$R0/assets/c7eefeb4-3ecc-45c5-9447-3b673903f76b.xml�v0/assets/d08d5ac3-2dc4-4069-b061-902e607f421d.xml�~K0/assets/d641377f-de00-4342-b15f-4879a3859ded.xml�I0/assets/d6d69e62-0640-4055-bee9-8b4a993c6ac8.xml�aH0/assets/d84b0b2f-1338-4c36-b363-747a4c09f47e.xml�)h0/assets/dc434757-4be7-4017-b40b-eaaf39269c3f.xml�!0/assets/e06a5b6b-f864-49cc-85f4-f4870fac5559.xml�2'0/assets/e2d10a64-83c5-4a2b-bcca-e6984de16fdf.xml�YY0/assets/e8cef31a-070d-4f42-82db-efb7f8789583.xml�20/assets/e944f472-806b-4e58-b162-d18acff72884.xml�F0/assets/ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2.xml�Mz0/assets/f4d0ff2c-e17f-4cf6-997b-413d844d71d0.xml�G<0/assets/f6004c40-2b76-4231-895b-dbdc109989a2.xml�0/assets/f6cda72d-99fb-4874-85ec-a2b4495493e8.xml�p
/certmgr.h1c�x
/certmgr.H1F�T
/certmgr.H1T�
/certmgr.H1V�SD/certmgr_AssetId.H1K�k/certmgr_BestBet.H1K�k/certmgr_LinkTerm.H1K�nl/certmgr_SubjectTerm.H1K�Zo::DataSpace/NameList��<(::DataSpace/Storage/MSCompressed/Content�IJ,::DataSpace/Storage/MSCompressed/ControlData�T )::DataSpace/Storage/MSCompressed/SpanInfo�L/::DataSpace/Storage/MSCompressed/Transform/List�<_::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/���i::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/ResetTable�p3::Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������HD1
s`M:(ES�q�|�
��
�U�n�c�o�m�p�r�e�s�s�e�d���
�M�S�C�o�m�p�r�e�s�s�e�d���FX쌡^�
VV
��������LZXC����������������HH��<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Properties OCSP Tab</maml:title><maml:introduction><maml:para>The <maml:ui>OCSP</maml:ui> tab is used by administrators to add Online Certificate Status Protocol (OCSP) responder URLs to issuing certification authority (CA) certificates, which are distributed by Group Policy to Active Directory domain members. This enables organizations to add OCSP responders to an existing public key infrastructure (PKI) without reissuing the CA certificate or any certificates previously issued by the CA. OCSP responder URLs provided in this way are used to verify certificate revocation status of certificates issued by the CA.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction><maml:para><maml:phrase>Enterprise Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To add an OCSP responder URL to a CA certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, and then click <maml:ui>Run</maml:ui>. Type <maml:userInput>gpmc.msc</maml:userInput>, and click <maml:ui>OK</maml:ui> to open the Group Policy Management Console (GPMC).</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, expand the forest and domain containing the policy that you want to edit, and then click <maml:ui>Group Policy Objects</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the policy that you want to edit, and then click <maml:ui>Edit</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, under <maml:ui>Computer Configuration</maml:ui>, expand <maml:ui>Policies</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, <maml:ui>Public Key Policies</maml:ui>, and <maml:ui>Intermediate Certification Authorities</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If no CA certificates are displayed, export the CA certificate from the issuing CA, and import the certificate into <maml:ui>Intermediate Certification Authorities</maml:ui>. See <maml:navigationLink><maml:linkText>Export a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=9936f79e-567a-4a65-8b23-43b7d35e9122"></maml:uri></maml:navigationLink>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the CA certificate, click <maml:ui>Properties</maml:ui>, and then click the <maml:ui>OCSP</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Type an OCSP responder URL, and click <maml:ui>Add URL</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If you want to prevent domain members from downloading CRLs from CRL distribution point locations specified in issued certificates, select the <maml:ui>Disable Certificate Revocation List (CRL)</maml:ui> check box.</maml:para>
<maml:alertSet class="caution"><maml:title>Caution </maml:title><maml:para>Disabling CRLs is not recommended. OCSP takes precedence over CRLs when URLs for both are provided. However, the revocation checking process determines when downloading and caching a single CRL is more efficient than multiple OCSP requests. </maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save changes.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Changes in Group Policy are applied by domain members periodically based on the Group Policy refresh interval, during computer startup, and during user logon. The default refresh interval is 90 minutes. To immediately refresh Group Policy on a domain member, run the Gpupdate command.</maml:para></maml:alertSet>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>Setting Up Online Responder Services in a Network (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143098</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143098"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>View Certificate Properties</maml:linkText><maml:uri href="mshelp://windows/?id=67ca7b60-9ba5-401b-876e-fe8ee384b9ec"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Guidelines for Using Alternate Signature Formats</maml:title><maml:introduction>
<maml:para>Selecting the option <maml:ui>Use alternate signature formats</maml:ui> implements the PKCS #1 v2.1 signature format for certificates.</maml:para>
<maml:para>For certificates based on RSA algorithms, PKCS #1 v2.1 specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm. (In PKCS #1 v.1.5, only one object identifier is used to identify both the hash and asymmetric algorithms.) In addition, if you select the alternate signature format for certificates based on RSA algorithms, an enhanced cryptographic formula is used to create the signature.</maml:para>
<maml:para>For certificates not based on RSA algorithms, selecting <maml:ui>Use alternate signature formats </maml:ui>specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm.</maml:para>
<maml:para>Before using the alternate signature format in your certificates, you need to verify that certification authorities (CAs) and client computers can accept these signature formats. Versions of Windows earlier than Windows Server 2008 cannot validate certificates that use the alternate signature format. In addition, certificates issued by using the alternate signature format might not be compatible with CAs or client computers that are not running Windows. </maml:para>
<maml:para>For more information about PKCS #1 v.2.1, see PKCS #1: RSA Cryptography Standard (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=66621</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=66621"></maml:uri></maml:navigationLink>) on the RSA Laboratories Web site.</maml:para>
<maml:para>For more information about the RSA implementation of the signature format, see Raising the Standard for RSA Signatures: RSA-PSS (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=66622</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=66622"></maml:uri></maml:navigationLink>) on the RSA Laboratories Web site.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Registration Authorities</maml:title><maml:introduction>
<maml:para>A registration authority is a computer that is configured for an administrator to request and retrieve issued certificates on behalf of other users. </maml:para>
<maml:para>A registration authority does not have to be installed on the same computer as the certification authority for which it processes certificate requests.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Enroll for Certificates on Behalf of Other Users</maml:linkText><maml:uri href="mshelp://windows/?id=211b51a2-999a-43c0-86ac-92a32cbe1dd2"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>General Tab</maml:title><maml:introduction>
<maml:para>You can view information about the fields, extensions, and properties that define an issued certificate by double-clicking any certificate displayed in the certificate store.</maml:para>
<maml:para>Clicking the <maml:ui>General</maml:ui> tab provides a general overview of the certificate, including the following information:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Supported uses of the certificate</maml:phrase>. Summary information, such as the applications, signing, encryption, or authentication, for which the certificate can be used. This section also explains if a certificate has expired or is not valid.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Entity to which the certificate was issued</maml:phrase>. The name of recipient of the certificate. Recipients can include end users, computers, or entities such as certification authorities (CAs).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>The issuer of the certificate</maml:phrase>. The name of the CA that issued the certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Validity period of the certificate</maml:phrase>. This includes the date the certificate becomes valid to the date that the certificate expires.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Issuer statement</maml:phrase>. Clicking the <maml:ui>Issuer Statement</maml:ui> button opens a separate window that contains additional information about the certificate or a URL where additional information can be obtained.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>View Certificate Information</maml:linkText><maml:uri href="mshelp://windows/?id=93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Request a Certificate by Using a PKCS #10 or PKCS #7 File</maml:title><maml:introduction>
<maml:para>It is not always possible to submit a certificate request online to a certification authority (CA). In these instances, you might still be able to submit a certificate request in the form of a PKCS #7 or PKCS #10 file. In general, you use a PKCS #10 file to submit a request for a new certificate and a PKCS #7 file to submit a request to renew an existing certificate. </maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local <maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic. </maml:para>
<maml:procedure><maml:title>To request a certificate by using a PKCS #10 or PKCS #7 file</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open a Web browser. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open https://<maml:replaceable>servername</maml:replaceable>/certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the Web server hosting the CA Web enrollment pages.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Request a certificate</maml:ui>, and then click <maml:ui>Advanced certificate request</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Submit a certificate request using a base-64-encoded CMC or PKCS #10 file</maml:ui> or <maml:ui>Submit a renewal request by using a base-64-encoded PKCS #7 file</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In Notepad, click <maml:ui>File</maml:ui>, click <maml:ui>Open</maml:ui>, select the PKCS #10 or PKCS #7 file, click <maml:ui>Edit</maml:ui>, click <maml:ui>Select all</maml:ui>, click <maml:ui>Edit</maml:ui>, and then click <maml:ui>Copy</maml:ui>. On the Web page, click in the <maml:ui>Saved request</maml:ui> box. Click <maml:ui>Edit</maml:ui>, and then click <maml:ui>Paste</maml:ui> to paste the contents of the certificate request into the box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you are connected to an enterprise CA, choose the certificate template that you want to use. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you have any attributes to add to the certificate request, enter them into <maml:ui>Additional Attributes</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Submit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do one of the following: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the <maml:ui>Certificate Pending</maml:ui> Web page appears, see <maml:navigationLink><maml:linkText>Check on a Pending Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=262b06b9-4142-4c98-a6bc-95d3a4cecb51"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the <maml:ui>Certificate Issued</maml:ui> Web page appears, click <maml:ui>Download certificate chain</maml:ui>. Save the file to your hard disk, and then import the certificate into your certificate store. For the procedure to import a certificate, see <maml:navigationLink><maml:linkText>Import a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=68340bf6-9412-4a41-bb36-2ccc8c1ab5cf"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The Web server for the CA must be configured to use HTTPS authentication.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you submit the request and immediately get a message asking you if you want to submit the request even though it does not contain a BEGIN or END tag, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Check on a Pending Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=262b06b9-4142-4c98-a6bc-95d3a4cecb51"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Import a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=68340bf6-9412-4a41-bb36-2ccc8c1ab5cf"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Export a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=9936f79e-567a-4a65-8b23-43b7d35e9122"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Save a Certificate Request in a File</maml:linkText><maml:uri href="mshelp://windows/?id=3de3286a-efd8-4afc-8878-7a034355d90e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate Over the Web</maml:linkText><maml:uri href="mshelp://windows/?id=e06a5b6b-f864-49cc-85f4-f4870fac5559"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Properties Extended Validation Tab</maml:title><maml:introduction><maml:para>The <maml:ui>Extended Validation</maml:ui> tab is used by administrators to add an Extended Validation (EV) certificate policy to root certificates that are distributed by Group Policy. Adding the EV certificate policy to root certificates and certificates issued to intranet Web sites provides a visual indicator that a site is trustworthy. </maml:para>
<maml:para>These procedures must be completed to use EV certificates for intranet Web sites.</maml:para>
<maml:list class="ordered"><maml:listItem><maml:para>Add an EV certificate policy to a certificate template.</maml:para></maml:listItem>
<maml:listItem><maml:para>Add an EV certificate policy to a root certificate.</maml:para></maml:listItem>
<maml:listItem><maml:para>Issue EV certificates to intranet Web sites.</maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Adding an EV certificate policy to a certificate template</maml:title>
<maml:introduction><maml:para>In addition to the root certificate, the EV certificate policy must also be included in certificates issued to intranet Web sites and all issuing certification authority (CA) certificates in the certification path.</maml:para>
<maml:para>In this procedure, you can modify a certificate template that is used to issue Web server certificates in your organization or any certificate template that meets the following requirements:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>The certificate template is version 2 or version 3.</maml:para></maml:listItem>
<maml:listItem><maml:para>The certificate purpose includes signature and encryption.</maml:para></maml:listItem>
<maml:listItem><maml:para>The application policy extension includes server authentication.</maml:para></maml:listItem>
</maml:list>
<maml:para>The issuing CA must meet the following requirements:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>The certification path of the issuing CA certificate includes a root certificate that includes an EV certificate policy.</maml:para></maml:listItem>
<maml:listItem><maml:para>The issuing CA certificate includes the All Issuance policy or an EV certificate policy.</maml:para></maml:listItem>
<maml:listItem><maml:para>The issuing CA is an enterprise CA.</maml:para></maml:listItem>
</maml:list>
<maml:para><maml:phrase>Enterprise Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To add an EV certificate policy to a certificate template</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the issuing CA, open Server Manager. In the console tree, expand <maml:ui>Roles</maml:ui>, expand <maml:ui>Active Directory Certificate Services</maml:ui>, then click <maml:ui>Certificate Templates</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Double-click a template that is used to issue certificates to intranet Web sites.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click the <maml:ui>Extensions</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Application Policies</maml:ui>, and then click <maml:ui>Edit</maml:ui> to open the <maml:ui>Edit Application Policies Extension</maml:ui> dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add</maml:ui> to open the <maml:ui>Add Application Policy</maml:ui> dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>New</maml:ui> to open the <maml:ui>New Application Policy</maml:ui> dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Type a name for the EV certificate policy. The name will be displayed in the extensions of issued certificates and in the template properties in the Certificate Templates snap-in.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>A unique object identifier (also known as OID) value is automatically generated. Copy the object identifier value for use in the following procedure. Click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Application policies</maml:ui> list, select the policy that you created. Click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save the application policy extension. On the <maml:ui>Extensions</maml:ui> tab, verify that the EV certificate policy is displayed in the <maml:ui>Description of Application Policies</maml:ui> box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click the <maml:ui>Security</maml:ui> tab. Verify that the groups or users who request certificates for intranet Web sites have <maml:ui>Read</maml:ui> and <maml:ui>Enroll</maml:ui> permissions.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save the certificate template.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, double-click the CA.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, right-click <maml:ui>Certificate Templates</maml:ui>, click <maml:ui>New</maml:ui>, and then click <maml:ui>Certificate Template to Issue</maml:ui> to open the <maml:ui>Enable Certificate Templates</maml:ui> dialog box.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Select the certificate template with the EV certificate policy, and click <maml:ui>OK</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:procedure></maml:introduction>
</maml:section><maml:section><maml:title>Adding an EV certificate policy to a root certificate</maml:title>
<maml:introduction>
<maml:para><maml:phrase>Enterprise Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To add an EV certificate policy to a root certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, and then click <maml:ui>Run</maml:ui>. Type <maml:userInput>gpmc.msc</maml:userInput>, and click <maml:ui>OK</maml:ui> to open the Group Policy Management Console (GPMC).</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, expand the forest and domain containing the policy that you want to edit, and then click <maml:ui>Group Policy Objects</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the policy that you want to edit, and then click <maml:ui>Edit</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, under <maml:ui>Computer Configuration</maml:ui>, expand <maml:ui>Policies</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, <maml:ui>Public Key Policies</maml:ui>, and <maml:ui>Trusted Root Certification Authorities</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>If no root certificates are displayed, export the CA certificate from the root CA, and import the certificate into <maml:ui>Trusted Root Certification Authorities</maml:ui>. See <maml:navigationLink><maml:linkText>Export a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=9936f79e-567a-4a65-8b23-43b7d35e9122"></maml:uri></maml:navigationLink>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the root certificate, click <maml:ui>Properties</maml:ui>, and then click the <maml:ui>Extended Validation</maml:ui> tab.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Type an object identifier value that represents the EV certificate policy in your organization. If you created the EV certificate policy by using the previous procedure, use the same object identifier value.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add OID</maml:ui>, and then click <maml:ui>OK</maml:ui> to save changes.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>Changes in Group Policy are applied by domain members periodically based on the Group Policy refresh interval, during computer startup, and during user logon. The default refresh interval is 90 minutes. To immediately refresh Group Policy on a domain member, run the Gpupdate command.</maml:para></maml:alertSet>
</maml:introduction>
</maml:section><maml:section><maml:title>Issuing EV certificates</maml:title>
<maml:introduction><maml:para>Follow the procedures in these related topics to request and install an EV certificate on your intranet Web server:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>On an intranet Web server, open the Certificates snap-in for the local computer. See <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para></maml:listItem>
<maml:listItem><maml:para>Request an EV certificate. See <maml:navigationLink><maml:linkText>Request Certificates by Using the Certificate Request Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=68354d8a-1cc2-491b-8352-053e133dcd2b"></maml:uri></maml:navigationLink>.</maml:para></maml:listItem>
<maml:listItem><maml:para>Configure a Web site binding. See Add or Edit Site Binding Dialog Box (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143106</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143106"></maml:uri></maml:navigationLink>).</maml:para></maml:listItem></maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Extended Validation SSL Certificates (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=142392</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=142392"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>View Certificate Properties</maml:linkText><maml:uri href="mshelp://windows/?id=67ca7b60-9ba5-401b-876e-fe8ee384b9ec"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Submit a User Certificate Request over the Web</maml:title><maml:introduction>
<maml:para>When you request certificates from a Windows-based stand-alone certification authority (CA), you use the CA Web enrollment pages. Web enrollment pages can also be used to request certificates from enterprise CAs if you want to set optional request features that are not available in the Certificate Request Wizard, such as marking the keys as exportable, setting key length, choosing the hash algorithm, or saving the request to a file. </maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To submit a user certificate request over the Web </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open a Web browser. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open https://<maml:replaceable>servername</maml:replaceable>/certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the server hosting the CA Web enrollment pages. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Request a certificate</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On <maml:ui>Request a Certificate</maml:ui>, select the type of certificate you want:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>If the CA is an enterprise CA, click <maml:ui>User Certificate</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the CA is a stand-alone CA, select either <maml:ui>Web Browser Certificate</maml:ui> or <maml:ui>E-Mail Protection Certificate</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Identifying Information</maml:ui> page, enter your identifying information for the certificate request, if needed.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>(Optional) Click <maml:ui>More Options</maml:ui> to specify the cryptographic service provider (CSP) and whether you want to enable strong private key protection. (This means that you will receive a prompt every time that the private key is used.)</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Submit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do one of the following: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the <maml:ui>Certificate Pending</maml:ui> Web page appears, see <maml:navigationLink><maml:linkText>Check on a Pending Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=262b06b9-4142-4c98-a6bc-95d3a4cecb51"></maml:uri></maml:navigationLink> for the procedure to check on a pending certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the <maml:ui>Certificate Issued</maml:ui> Web page appears, click <maml:ui>Install this certificate</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>In order for a user to obtain a certificate by using Web enrollment, an administrator must set the appropriate permissions on the certificate templates on which the requested certificate is based. </maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate Over the Web</maml:linkText><maml:uri href="mshelp://windows/?id=e06a5b6b-f864-49cc-85f4-f4870fac5559"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Check on a Pending Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=262b06b9-4142-4c98-a6bc-95d3a4cecb51"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Certificate Enrollment Policy by Using the Certificates Snap-in</maml:title><maml:introduction>
<maml:para>This topic describes the procedures and applications used to add enrollment policy servers and manage enrollment policies by using the Certificates snap-in. These procedures can be used to configure enrollment policies that enable users to request certificates from commercial certification authorities (CAs) offering certificate enrollment services on the Internet or enterprise CAs within an organization.
</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Configuring certificate enrollment policy settings</maml:title><maml:introduction><maml:para>The <maml:ui>Certificate Enrollment Policy Server</maml:ui> dialog box is used to add enrollment policy servers and can be opened by using either the <maml:ui>Manage Enrollment Policies</maml:ui> dialog box or the Certificate Enrollment wizard.</maml:para>
<maml:procedure><maml:title>To configure certificate enrollment policy settings</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>certmgr.msc</maml:userInput> in the <maml:ui>Search programs and files</maml:ui> box, and press ENTER.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, click <maml:ui>Personal</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Do one of the following:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, point to <maml:ui>Advanced Operations</maml:ui>, and then click <maml:ui>Manage Enrollment Policies</maml:ui>. Under <maml:ui>Certificate enrollment policy list</maml:ui>, click <maml:ui>Add</maml:ui>. For more information about the settings in this dialog box, see the "Manage Enrollment Polices dialog box" table later in this topic.</maml:para></maml:listItem>
<maml:listItem><maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Request New Certificate</maml:ui> to start the Certificate Enrollment wizard. Click <maml:ui>Next</maml:ui>, and then on the <maml:ui>Select Certificate Enrollment Policy</maml:ui> page, click <maml:ui>Add New</maml:ui>. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server dialog box" table later in this topic.</maml:para></maml:listItem></maml:list></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Enter enrollment policy server URI</maml:ui> box, type a certificate enrollment policy server URI.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Authentication type</maml:ui> list, select the authentication type required by the enrollment policy server.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Validate</maml:ui>, and then review the messages in the <maml:ui>Certificate enrollment policy server properties</maml:ui> area. The <maml:ui>Add</maml:ui> button is available only after the enrollment policy server URI and authentication type are validated.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>If the added enrollment policy server supports an enrollment policy that is already displayed in <maml:ui>Certificate enrollment policy list</maml:ui>, then the added server will not be displayed separately. Click <maml:ui>Properties</maml:ui> to verify that the added enrollment policy server is displayed in the <maml:ui>Enrollment policy servers</maml:ui> list. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server Properties dialog box" table later in this topic.</maml:para></maml:alertSet>
</maml:introduction>
</maml:section><maml:section><maml:title>User interface reference</maml:title>
<maml:introduction><maml:para>The following tables describe the settings available in the <maml:ui>Manage Enrollment Polices</maml:ui> dialog box, the <maml:ui>Certificate Enrollment Policy Server</maml:ui> dialog box, and the <maml:ui>Certificate Enrollment Policy Server Properties</maml:ui> dialog box.</maml:para><maml:table><maml:title>Manage Enrollment Policies dialog box</maml:title><maml:tableHeader>
<maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para><maml:ui>Certificate enrollment policy list</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Displays the list of enrollment policies that are included in the policy setting. One of the displayed policies must be specified as the default policy by selecting the <maml:ui>Default</maml:ui> check box.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Add</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Opens the <maml:ui>Certificate Enrollment Policy Server</maml:ui> dialog box, which is used to add an enrollment policy server.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Remove</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Removes the selected enrollment policy and all associated enrollment policy servers from the list.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Properties</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Opens the <maml:ui>Certificate Enrollment Policy Server Properties</maml:ui> dialog box, which displays the policy details and list of enrollment policy servers for the selected enrollment policy.</maml:para></maml:entry></maml:row>
</maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:table><maml:title>Certificate Enrollment Policy Server dialog box</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para><maml:ui>Enter enrollment policy server URI</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies the URI of the Certificate Enrollment Policy Web Service. The URI must use HTTPS.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Authentication type</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies the type of authentication that is used to connect to the specified URI. The specified authentication type must match the authentication type that is required by the Certificate Enrollment Policy Web Service.</maml:para><maml:para>The following authentication types are available:</maml:para><maml:list class="unordered"><maml:listItem><maml:para><maml:ui>Anonymous</maml:ui>. No credentials are provided when connecting to the certificate enrollment policy server.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Windows integrated</maml:ui>. Windows integrated authentication uses the Kerberos protocol and is appropriate for AD DS domain members.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Username/password</maml:ui>. During certificate enrollment, users will be prompted to enter a user name and password.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>X.509 Certificate</maml:ui>. During certificate enrollment, users will be prompted to select a certificate for authentication.</maml:para></maml:listItem></maml:list></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Validate</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Connects to the specified URI by using the specified authentication type to verify the following details:</maml:para><maml:list class="unordered"><maml:listItem><maml:para>An SSL connection can be made to the enrollment policy server.</maml:para></maml:listItem><maml:listItem><maml:para>A valid enrollment policy is returned by the enrollment policy server.</maml:para></maml:listItem><maml:listItem><maml:para>The enrollment policy is not already included in the Group Policy setting.</maml:para></maml:listItem></maml:list><maml:para>Validation is required for an enrollment policy server URI before it can be added. If the specified URI and authentication type are valid, the enrollment policy identifier and friendly name are displayed. Warning or error messages are displayed if there is a problem with validation.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Add</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Adds the enrollment policy server URI and validated enrollment policy to the Group Policy setting. The <maml:ui>Add</maml:ui> button is available only after the enrollment policy server URI and authentication type are validated.</maml:para></maml:entry></maml:row></maml:table>
<maml:para></maml:para>
<maml:table><maml:title>Certificate Enrollment Policy Server Properties dialog box</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para><maml:ui>Enrollment policy servers list</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Displays the list of enrollment policy servers that support the enrollment policy.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Remove</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Removes the selected enrollment policy server. If all enrollment policy servers are removed, the enrollment policy will also be removed.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Enable for automatic enrollment and renewal</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies that the enrollment policy is used for autoenrollment when autoenrollment is enabled.</maml:para><maml:para>On computers running Windows 7 that are not members of a domain, autoenrollment is enabled by default. On computers that are members of a domain, autoenrollment must be enabled in Group Policy. See Managing Certificate Enrollment (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=143282</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=143282"></maml:uri></maml:navigationLink>) for autoenrollment configuration procedures.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Require strong validation during enrollment</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies that enrollment clients require validation of the issuing CA's certification path during enrollment.</maml:para></maml:entry></maml:row></maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Servers</maml:linkText><maml:uri href="mshelp://windows/?id=64541c74-8112-4496-9721-1ddabcae5f4b"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Manage Certificate Enrollment Policy by Using Group Policy</maml:linkText><maml:uri href="mshelp://windows/?id=d641377f-de00-4342-b15f-4879a3859ded"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para>Managing Certificate Enrollment (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=143282</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=143282"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem></maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate File Formats</maml:title><maml:introduction>
<maml:para>Certificate import and export operations support four file formats. Choose the format that meets your specific requirements.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Personal Information Exchange (PKCS #12)</maml:phrase></maml:para>
<maml:para>The Personal Information Exchange format (PFX, also called PKCS #12) supports secure storage of certificates, private keys, and all certificates in a certification path.</maml:para>
<maml:para>The PKCS #12 format is the only file format that can be used to export a certificate and its private key.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Cryptographic Message Syntax Standard (PKCS #7)</maml:phrase></maml:para>
<maml:para>The PKCS #7 format supports storage of certificates and all certificates in the certification path. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>DER-encoded binary X.509</maml:phrase></maml:para>
<maml:para>The Distinguished Encoding Rules (DER) format supports storage of a single certificate. This format does not support storage of the private key or certification path.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Base64-encoded X.509</maml:phrase></maml:para>
<maml:para>The Base64 format supports storage of a single certificate. This format does not support storage of the private key or certification path.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificates Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ba6554ca-f33f-4dd3-beff-bd602018dcc5"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Import a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=68340bf6-9412-4a41-bb36-2ccc8c1ab5cf"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Export a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=9936f79e-567a-4a65-8b23-43b7d35e9122"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Export a Certificate with the Private Key</maml:linkText><maml:uri href="mshelp://windows/?id=66730f06-9190-4eb1-bf08-88c79f4a0a23"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>View the Certificates in a PKCS #7 file</maml:linkText><maml:uri href="mshelp://windows/?id=b776e5d1-307b-42f2-b2d1-c6dce2a49c9b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Enroll for Certificates on Behalf of Other Users</maml:title><maml:introduction>
<maml:para>It is not always possible for users to enroll for a certificate on their own behalf. This can be the case for a user smart card certificate. By default, only domain administrators are granted permission to request a certificate on behalf of another user. However, a user other than a domain administrator can be granted permission to become an enrollment agent. A user becomes an enrollment agent by enrolling for an Enrollment Agent certificate.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies for these certificates.</maml:para>
</maml:alertSet>
<maml:para>Membership in the <maml:phrase>Users</maml:phrase> group and an Enrollment Agent certificate are the minimum requirements to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To enroll for a certificate on behalf of other users</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, expand the <maml:ui>Personal </maml:ui>store, and then click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, point to <maml:ui>Advanced Operations</maml:ui>, and then click <maml:ui>Enroll on behalf of </maml:ui>to open the Certificate Enrollment wizard. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Browse to the Enrollment Agent certificate that you will use to sign the certificate request that you are processing. Click <maml:ui>Next</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the type of certificate that you want to enroll for. When you are ready to request a certificate, click <maml:ui>Enroll</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the Certificate Renewal Wizard has successfully finished, click <maml:ui>Close</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by a user or by an administrator. To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Obtain a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=4ecbce82-4636-44a0-93ca-b664a186d22e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Registration Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=0d71e266-5cfd-4b01-ac32-81021d37875f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Path Validation</maml:title><maml:introduction>
<maml:para>As certificate use for secure communication and data protection is increasing, administrators can use certificate trust policy to enhance their control of certificate use and public key infrastructure performance by using certificate path validation settings. </maml:para>
<maml:para>Certificate path validation settings in Group Policy allow administrators to:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Trusted Root Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=d84b0b2f-1338-4c36-b363-747a4c09f47e"></maml:uri></maml:navigationLink>. These policy settings control which root certification authority (CA) certificates and peer trust certificates in the user certificate and root certificate stores can be trusted.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Trusted Publishers</maml:linkText><maml:uri href="mshelp://windows/?id=dc434757-4be7-4017-b40b-eaaf39269c3f"></maml:uri></maml:navigationLink>. These policy settings control which code signing (Authenticode) certificates can be accepted for use in the organization and blocks certificates that are not trusted according to policy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Network Retrieval and Path Validation</maml:linkText><maml:uri href="mshelp://windows/?id=70588c7b-c9ba-425f-84e9-d4fe44f6e294"></maml:uri></maml:navigationLink>. These policy settings can be used to compensate for situations in which downloads of a certificate revocation list (CRL) fail because the CRL is too large and network conditions are not optimal.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Revocation Checking Policy</maml:linkText><maml:uri href="mshelp://windows/?id=58107cc5-aedf-4212-9568-2dfe1a0b1452"></maml:uri></maml:navigationLink>. These policy settings can be used to coordinate use of CRLs and Online Responders during revocation checking. This option also allows an administrator to extend the lifetime of responses received from an Online Responder or CRL. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Credential Roaming</maml:title><maml:introduction>
<maml:para>Credential roaming allows organizations to store certificates and private keys in Active Directory Domain Services (AD DS) separately from application state or configuration information.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>How credential roaming works</maml:title><maml:introduction>
<maml:para>Credential roaming uses existing logon and autoenrollment mechanisms to securely download certificates and keys to a local computer whenever a user logs on and, if desired, remove them when the user logs off. In addition, the integrity of these credentials is maintained under any conditions, such as when certificates are updated and when users log on to more than one computer at a time. </maml:para>
<maml:para>The following steps describe how digital credential roaming works.</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>A user logs on to a client computer that is connected to an Active Directory domain. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>As part of the logon process, credential roaming Group Policy is applied to the user's computer. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If this is the first time that credential roaming is being used, the certificates in the user's store on the client computer are copied to AD DS. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the user already has certificates in AD DS, the certificates in the user's certificate store on the client computer are compared to the certificates stored for the user in AD DS. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the certificates in the user's certificate store are current, then no further action is taken. However, if more recent certificates for the user are stored in AD DS, then these credentials are copied to the client computer. If more recent certificates for the user are stored on the client computer, then these credentials are copied to AD DS.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If additional certificates are needed on the client computer, outstanding certificate autoenrollment requests are processed. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Newly issued certificates are stored in the certificate store on the client computer and replicated to AD DS.</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para>When the user logs on to another client computer connected to the domain, the same Group Policy setting is applied, and credentials are once again replicated from AD DS. Credential roaming synchronizes and resolves any conflicts between certificates and private keys from any number of client computers that the user logs on to, as well as in AD DS.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>In multi-domain environments and domains with multiple domain controllers, credentials may not be immediately available when a user logs on to the network by using one domain controller shortly after being issued a certificate on a computer that validates the user's identity against a different domain controller. The credentials will only become available after replication has been completed between the two domains or domain controllers.</maml:para>
</maml:alertSet>
</maml:listItem>
<maml:listItem>
<maml:para>When the user's certificate expires, the old certificate is automatically archived in the user's profile on the computer and in AD DS. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>Credential roaming is triggered any time a private key or certificate in the user's local certificate store changes, whenever the user locks or unlocks the computer, and whenever Group Policy is refreshed. </maml:para>
<maml:para>All certificate-related communication between components on the local computer and between the local computer and AD DS is signed and encrypted.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Renew a Certificate with a New Key</maml:title><maml:introduction>
<maml:para>Renewing a certificate with a new key allows you to continue using an existing certificate and its associated data, while enhancing the strength of the key associated with the certificate. This can be desirable if using a new certificate would cause disruption and the existing certificate has not been compromised. </maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To renew a certificate with a new key</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, expand the <maml:ui>Personal </maml:ui> store, and then click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, select the certificate that you are renewing.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Renew Certificate with New Key</maml:ui> to open the Certificate Renewal Wizard.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Certificate Renewal Wizard, do one of the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Use the default values to renew the certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(For advanced users only) Click <maml:ui>Details</maml:ui>, and then click <maml:ui>Properties</maml:ui> to provide your own certificate renewal settings. You need to know the cryptographic service provider (CSP) and the certification authority (CA) issuing the certificate.</maml:para>
<maml:para>You need to select the key length (measured in bits) of the public key associated with the certificate.</maml:para>
<maml:para>You can also choose to enable strong private key protection. Enabling strong private key protection ensures that you are prompted for a password every time the private key is used. This is useful if you want to ensure that the private key is not used without your knowledge.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When you are ready to request a certificate, click <maml:ui>Enroll</maml:ui>. After the Certificate Renewal Wizard has successfully finished, click <maml:ui>Close</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Once renewed, the old certificate and key pair will be archived. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You can use this procedure to request certificates from an enterprise CA only. To request certificates from a stand-alone CA, you need to request certificates by using Web pages. The Web pages for a Windows-based CA are located at http://<maml:replaceable>servername</maml:replaceable>/Certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the server that hosts the CA.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>BitLocker Certificates</maml:title><maml:introduction>
<maml:para>Recovery of a BitLocker-protected drive can be accomplished by a data recovery agent that has been configured with the proper certificate. Before a data recovery agent can be configured for a drive, you must add the data recovery agent from <maml:ui>Public Key Policies</maml:ui> in either the Group Policy Management Console (GPMC) or the Local Group Policy Editor. You must also enable and configure the <maml:ui>Provide the unique identifiers for your organization</maml:ui> policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will only manage and update data recovery agents when an identification field is present on a drive and is identical to the value configured on the computer.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Certificate requirements</maml:title><maml:introduction>
<maml:para>A certificate must meet the following key usage and enhanced key usage requirements before it can be used to encrypt a drive with BitLocker:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>The key usage attribute must be either none, Key Encipherment, or one of the following key usage values:</maml:para>
<maml:para>CERT_DATA_ENCIPHERMENT_KEY_USAGE</maml:para>
<maml:para>CERT_KEY_AGREEMENT_KEY_USAGE</maml:para>
<maml:para>CERT_KEY_ENCIPHERMENT_KEY_USAGE</maml:para></maml:listItem>
<maml:listItem><maml:para>The enhanced key usage attribute must be either none or one of the following:</maml:para>
<maml:para>1.3.6.1.4.1.311.67.1.1</maml:para>
<maml:para>Any enhanced key usage object identifier supported by your certification authority</maml:para></maml:listItem>
</maml:list>
<maml:para>The BitLocker object identifier is set to 1.3.6.1.4.1.311.67.1.1 by default. You can use Group Policy to change this value if, for example, you want to share an existing certificate with BitLocker. If the certificate belongs to a data recovery agent and is only used to recover BitLocker-protected data, it is recommended that it also have one of these attributes, but it is not mandatory. No certificate validation occurs when adding a data recovery agent to a drive.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Configuring a data recovery agent and an identification field for BitLocker </maml:title><maml:introduction>
<maml:para>The following procedures describe how to configure a data recovery agent and an identification field for BitLocker.</maml:para>
<maml:para>Local <maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete these procedures.</maml:para><maml:procedure><maml:title>To configure a data recovery agent</maml:title><maml:introduction><maml:sections><maml:section><maml:title></maml:title><maml:introduction><maml:para>After the wizard closes, the data recovery agents appear in the details pane.</maml:para></maml:introduction>
</maml:section></maml:sections></maml:introduction><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Open either the GPMC or the Local Group Policy Editor.
</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree under <maml:ui>Computer Configuration\Windows Settings\Security Settings\Public Key Policies</maml:ui>, right-click <maml:ui>BitLocker Drive Encryption</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add Data Recovery Agent</maml:ui> to start the Add Recovery Agent Wizard. Click <maml:ui>Next</maml:ui>. </maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the <maml:ui>Select Recovery Agents</maml:ui> page, click <maml:ui>Browse Folders</maml:ui>, and select a .cer file to use as a data recovery agent. Once the file is selected, it will be imported and will appear in the <maml:ui>Recovery agents</maml:ui> list in the wizard. Multiple data recovery agents can be specified. After you have specified all the data recovery agents that you want to use, click <maml:ui>Next</maml:ui>.
</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>The <maml:ui>Completing the Add Recovery Agent</maml:ui> page of the wizard displays a list of the data recovery agents that will be added to the Group Policy. Click <maml:ui>Finish</maml:ui> to confirm the data recovery agents, and close the wizard.
</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:procedure><maml:title>To configure an identification field</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the GPMC or Local Group Policy Editor, expand the console tree to <maml:ui>Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption</maml:ui>, and then click <maml:ui>BitLocker Drive Encryption</maml:ui> to show the policy settings.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the details pane, double-click the <maml:ui>Provide the unique identifiers for your organization</maml:ui> policy setting.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Enable</maml:ui>. In <maml:ui>BitLocker Identification Field</maml:ui>, enter the identification field for your organization.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to apply and close the policy setting.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Drives that were encrypted with BitLocker before an identification field was configured will not have data recovery agents assigned to them due to the absence of an identification field. It is possible to use Windows Management Instrumentation (WMI) or the Manage-bde command-line tool to set an identification field on a previously encrypted drive. When using Manage-bde, the identification field will be set to the value specified in the <maml:ui>Provide the unique identifiers for your organization</maml:ui> policy setting. For more information about using WMI or Manage-bde, see <maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143347</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143347"></maml:uri></maml:navigationLink>.</maml:para>
</maml:alertSet></maml:introduction></maml:section>
</maml:sections></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Sign Certificate Requests</maml:title><maml:introduction>
<maml:para>In some cases, certificate requests must be digitally signed by using a valid Enrollment Agent or Signing certificate before a certification authority (CA) will process the request.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Once someone has an Enrollment Agent certificate, that person can enroll for a certificate and generate a smart card on behalf of anyone in the organization. The resulting smart card could then be used to log on to the network and impersonate the real user. Because of the powerful capability of the Enrollment Agent certificate, it is strongly recommended that your organization maintain very strong security policies for these certificates.</maml:para>
</maml:alertSet>
<maml:para>One scenario to minimize risk of Enrollment Agent certificate misuse is to have one subordinate CA with very tight administrative controls in your organization that is only used to issue Enrollment Agent certificates. Once the initial Enrollment Agent certificates have been issued, the administrator of the CA can disable the issuance of Enrollment Agent certificates until it is needed again. </maml:para>
<maml:para>By restricting the administrators who can operate the CA service on the subordinate CA, the service can be kept online for the generation and distribution of certificate revocation lists (CRLs) if necessary. </maml:para>
<maml:para>Other CAs in the hierarchy can still issue Enrollment Agent certificates if their policy settings are changed, but you can determine whether inappropriate Enrollment Agent certificates are issued by checking the Issued Certificates log for each CA regularly.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request Certificates by Using the Certificate Request Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=68354d8a-1cc2-491b-8352-053e133dcd2b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Display Certificates by Logical Certificate Stores</maml:title><maml:introduction>
<maml:para>Logical certificate stores organize certificates in logical, functional categories for users, computers, and services. The use of logical certificate stores eliminates the need to store duplicates of common public key objects, such as trusted root certificates, certificate trust lists (CTLs), and certificate revocation lists (CRLs) for users, computers, and services.</maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To display certificates by logical certificate stores</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificates – Current</maml:ui>, <maml:ui>Certificates – (Local Computer)</maml:ui>, or <maml:ui>Certificates – Service</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>View</maml:ui> menu, click <maml:ui>Options</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Organize view mode by</maml:ui>, click <maml:ui>Logical certificate stores</maml:ui>, and then click <maml:ui>OK</maml:ui>. The <maml:ui>Logical Store Name</maml:ui> column heading will appear in the details pane.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>When you view certificates by logical store, you will occasionally see what appear to be two copies of the same certificate in the store. This occurs because the same certificate is stored in separate physical stores under a logical store. When the contents of the physical certificate stores are combined into one logical store view, both instances of the same certificate are displayed.</maml:para>
<maml:para>You can verify this by setting the view option to show the physical certificate stores and then noting that the certificate is stored in separate physical stores under the same logical store. You can verify that it is the same certificate by comparing the serial numbers.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Display Certificate Stores</maml:linkText><maml:uri href="mshelp://windows/?id=2e9e43a1-5201-41c3-9cdc-4da37713d37a"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Check on a Pending Certificate Request</maml:title><maml:introduction>
<maml:para>When you submit a certificate request to a Windows-based enterprise certification authority (CA), it is immediately processed and will either be issued or denied, unless the certificate template has been configured to require approval by a certificate manager. </maml:para>
<maml:para>When you submit a certificate request to a Windows-based stand-alone CA, it will either be immediately processed or, by default, it will be considered pending until the administrator of the CA approves or rejects the request. In the case of a pending request, the certificate requester will have to use the CA Web enrollment pages to check the status of pending certificates. </maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic. </maml:para>
<maml:procedure><maml:title>To check on a pending certificate request</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open a Web browser. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open https://<maml:replaceable>servername</maml:replaceable>/certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the Web server hosting the CA Web enrollment pages. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>View the status of a pending certificate request</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If there are no pending certificate requests, you will see a message to that effect. Otherwise, select the certificate request you want to check, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Check the pending certificate requests: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Still pending</maml:ui>. You must wait for the administrator of the CA to issue the certificate. To remove the certificate request, click <maml:ui>Remove</maml:ui>. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Issued</maml:ui>. To install the certificate, click <maml:ui>Install this certificate</maml:ui>. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Denied</maml:ui>. Contact the administrator of the CA for further information. </maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you are finished using the CA Web enrollment pages, close the Web browser. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate Over the Web</maml:linkText><maml:uri href="mshelp://windows/?id=e06a5b6b-f864-49cc-85f4-f4870fac5559"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Public Key Infrastructures</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A public key infrastructure (PKI) is a system of digital certificates, certification authorities (CAs), and registration authorities that verify and authenticate the validity of each entity that is involved in an electronic transaction through the use of public key cryptography. Standards for PKIs are still evolving, even as they are being widely implemented as a necessary element of electronic commerce. For more information about planning a PKI and using public key cryptography, see <maml:navigationLink><maml:linkText>Active Directory Certificate Services Resources</maml:linkText><maml:uri href="mshelp://windows/?id=e2d10a64-83c5-4a2b-bcca-e6984de16fdf"></maml:uri></maml:navigationLink>. </maml:para>
<maml:para>The Microsoft PKI supports a hierarchical CA model that is scalable and provides consistency with a growing number of commercial and other CA products.</maml:para>
<maml:para>In its simplest form, a certification hierarchy consists of a single CA. However, a hierarchy frequently contains multiple CAs with clearly defined parent/child relationships. In this model, the child subordinate CAs are certified by their parent CA-issued certificates, which bind a CA's public key to its identity. The CA at the top of a hierarchy is referred to as the root CA. The child CA of a root CA is called a subordinate CA. For more information, see <maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>In Windows, if you trust a root CA (by having its certificate in your Trusted Root Certification Authorities certificate store), you trust every subordinate CA that has a valid CA certificate in the hierarchy. Thus, a root CA is a very important point of trust in an organization and should be secured accordingly. For more information, see <maml:navigationLink><maml:linkText>CA Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=d6d69e62-0640-4055-bee9-8b4a993c6ac8"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>There are several practical reasons for setting up multiple subordinate CAs, including:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Usage</maml:phrase>. Certificates may be issued for a number of purposes, such as secure e-mail and network authentication. The issuing policy for these uses may be distinct, and separation provides a basis for administering these polices.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Organizational divisions</maml:phrase>. There may be different policies for issuing certificates, depending upon an entity's role in the organization. Again, you can create subordinate CAs to separate and administer these policies.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Geographic divisions</maml:phrase>. Organizations may have entities at multiple physical sites. Network connectivity between these sites may require individual subordinate CAs for many or all sites.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Load balancing</maml:phrase>. If your PKI will be used to issue and manage a large number of certificates, having only one CA can result in considerable network load for that single CA. Using multiple subordinate CAs to issue the same kind of certificates divides the network load between CAs.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Backup and fault tolerance</maml:phrase>. Multiple CAs increase the possibility that your network will always have operational CAs available to respond to user requests.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>A CA hierarchy can also provide administrative benefits, including:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Flexible configuration of the CA security environment to tailor the balance between security and usability. For example, you may choose to employ special-purpose cryptographic hardware on a root CA, operate it in a physically secure area, or operate it offline. These may be unacceptable for subordinate CAs, due to cost or usability considerations.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The ability to "turn off" a specific portion of the CA hierarchy without affecting established trust relationships. For example, you can easily shut down and revoke an issuing CA certificate that is associated with a specific business unit without affecting other parts of the organization.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Active Directory Certificate Services Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Display Certificate Stores</maml:title><maml:introduction>
<maml:para>Using the Certificates snap-in, you can display the certificate store for a user, a computer, or a service according to the purpose for which the certificates were issued or by using their logical storage categories. When you display certificates according to their storage categories, you can also choose to display the physical stores, showing the certificate storage hierarchy. (This is recommended for advanced users only.) </maml:para>
<maml:para>If you have the user rights to do so, you can import or export certificates from any of the folders in the certificate store. Additionally, if the private key associated with a certificate is marked as available for export, you can export both into a PKCS #12 file. </maml:para>
<maml:para>Windows can also publish certificates to Active Directory Domain Services (AD DS). Publishing a certificate in AD DS enables all users or computers with adequate permissions to retrieve the certificate as needed. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Certificate stores</maml:title><maml:introduction>
<maml:para>Certificates can be displayed by purpose or by logical stores, as shown in the following table. Displaying certificates by logical stores is the default in the Certificates snap-in. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The list of certificate purpose stores does not include all the possible purpose stores.</maml:para>
</maml:alertSet>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Display by</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Folder name</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Contents</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Logical store</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Personal</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates associated with private keys to which you have access. These are the certificates that have been issued to you or to the computer or service for which you are managing certificates.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Trusted Root Certification Authorities</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Implicitly trusted certification authorities (CAs). Includes all of the certificates in the Third-Party Root Certification Authorities store plus root certificates from your organization and Microsoft.</maml:para>
<maml:para>If you are an administrator and want to add non-Microsoft CA certificates to this store for all computers in an Active Directory domain, you can use Group Policy to distribute trusted root certificates to your organization.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise Trust</maml:para>
</maml:entry>
<maml:entry>
<maml:para>A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted. </maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Intermediate Certification Authorities</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates issued to subordinate CAs. If you are an administrator, you can use Group Policy to distribute certificates to the Intermediate Certification Authorities store.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Trusted People</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates issued to people or end entities that are explicitly trusted. Most often these are self-signed certificates or certificates explicitly trusted in an application such as Microsoft Outlook. If you are a domain administrator, you can use Group Policy to distribute certificates to the Trusted People store.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Other People</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates issued to people or end entities that are implicitly trusted. These certificates must be part of a trusted certification hierarchy. Most often these are cached certificates for services such as Encrypting File System (EFS), where certificates are used for creating authorization for decrypting an encrypted file.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Trusted Publishers</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates from CAs that are trusted by software restriction policies. If you are a domain administrator, you can use Group Policy to distribute certificates to the Trusted Publishers store.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Disallowed Certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para>These are certificates that you have explicitly decided not to trust either by using software restriction policies or by choosing not to trust a certificate when the decision is presented to you in e-mail or a Web browser. If you are a domain administrator, you can use Group Policy to distribute certificates to the Disallowed Certificates store.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Third-Party Root Certification Authorities</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Trusted root certificates from CAs other than Microsoft and your organization. You cannot use Group Policy to distribute certificates to the Third-Party Root Certification Authorities store.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificate Enrollment Requests</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Pending or rejected certificate requests.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Active Directory User Object</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates associated with your user object and published in AD DS.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Purpose</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Server Authentication</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates that server programs use to authenticate themselves to client computers.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Client Authentication</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates that client programs use to authenticate themselves to servers.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Code Signing</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates associated with key pairs used to sign active content.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Secure E-mail</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates associated with key pairs used to sign e-mail messages.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Encrypting File System</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates associated with key pairs that encrypt and decrypt the symmetric key used for encrypting and decrypting data by EFS.</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>File Recovery</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificates associated with key pairs that encrypt and decrypt the symmetric key used for recovering encrypted data by EFS.</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:para>When you view certificates by logical store, you will occasionally see what appears to be two copies of the same certificate in the store. This occurs because the same certificate is stored in separate physical stores under a logical store. When the contents of the physical certificate stores are combined into one logical store view, both instances of the same certificate are displayed.</maml:para>
<maml:para>You can verify this by setting <maml:ui>View Options</maml:ui> to show the <maml:ui>Physical certificate stores</maml:ui> and then noting that the certificate is stored in separate physical stores under the same logical store. You can verify that it is the same certificate by comparing the serial numbers.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Learn More About Certificate Stores</maml:linkText><maml:uri href="mshelp://windows/?id=d08d5ac3-2dc4-4069-b061-902e607f421d"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Display Certificates by Logical Certificate Stores</maml:linkText><maml:uri href="mshelp://windows/?id=25789028-bfc8-48f5-9432-82e74ea48d59"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Display Certificates by Certificate Purpose</maml:linkText><maml:uri href="mshelp://windows/?id=6b8b6b13-b4be-4a40-a696-352b40953286"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Display Archived Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=92ad94a0-3eeb-4916-8fbe-05b803affa3e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Move Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=34bc986a-a55c-4d4d-a073-cfad924b1187"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Extensions</maml:title><maml:introduction>
<maml:para>The <maml:ui>Extensions</maml:ui> tab allows an administrator to define specific application policies, issuance policies, certificate subject types, and key usage attributes for a certificate template.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Application policies</maml:title><maml:introduction>
<maml:para>Application policies are settings that inform a target that the subject holds a certificate that can be used to perform a specific task. They are represented in a certificate by an object identifier that is defined for a given application. This object identifier is included in the issued certificate. When a subject presents its certificate, the certificate can be examined by the target to verify the application policy and determine whether the subject can perform the requested action. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Issuance policies</maml:title><maml:introduction>
<maml:para>Issuance policies, also referred to as certificate policies, define the measures that are used to identify the subject of the certificate and thereby define the level of assurance for an issued certificate. For example, your organization might require a face-to-face meeting before the certificate is issued to provide for a higher level of assurance for the issued certificate.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Certificate subject type</maml:title><maml:introduction>
<maml:para>The certificate subject type, also referred to as the certificate template information, defines the purpose of a certificate or certificate template. </maml:para>
<maml:para>The certificate subject type extension cannot be edited. If an administrator requires a specific subject type to be applied to a certificate, the administrator should duplicate a certificate template that includes the required subject type. </maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Key usage</maml:title><maml:introduction>
<maml:para>A certificate enables the subject to perform a specific task. To help control the usage of a certificate outside its intended purpose, restrictions are automatically placed on certificates. Key usage is a restriction method that determines what a certificate can be used for. It allows the administrator to issue certificates that can only be used for specific tasks or certificates that can be used for a broad range of functions. If no key usage is specified, the certificate can be used for any purpose.</maml:para>
<maml:para>For signatures, key usage can be limited to one or more of the following purposes:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Digital signature</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Signature is a proof of origin (nonrepudiation)</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Certificate signing</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>CRL signing</maml:para>
</maml:listItem>
</maml:list>
<maml:para>For encryption key usage, the following options are available:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Key exchange without key encryption</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Key exchange only with key encryption</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section><maml:section><maml:title>Attributes</maml:title>
<maml:introduction><maml:para>In addition to the information required by the certification authority (CA) to construct the requested certificate, a certificate request also includes attributes that describe how the certificate request was created. The certificate request attributes include the operating system version and application used to create the request, the cryptographic service provider used to generate the key pair, the certificate template the request is based on, and other details.</maml:para>
<maml:para>Attributes are automatically added to certificate requests that are created by using the Certificates snap-in and are stored in the CA database with each certificate request.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=61e3ea01-7b38-4ba8-a201-40ce9ba33f2c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Move Certificates</maml:title><maml:introduction>
<maml:para>Many applications look for a certificate in only one certificate store. If a certificate is not in the certificate store that you need, you can move it from one store to another.</maml:para>
<maml:para><maml:phrase>Users</maml:phrase> or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To move a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under the logical store that contains the certificate to move, click <maml:ui>Certificates</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the certificate that you are moving. (To select more than one certificate, hold down CTRL and click each certificate.)</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Cut</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the logical store where you want to move the certificate. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Paste</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In the Certificates snap-in, you can only move an object within certificate stores. For example, you cannot move an object to a folder in Windows Explorer. To move a certificate to or from a folder on the file system or a removable storage device, see <maml:navigationLink><maml:linkText>Import a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=68340bf6-9412-4a41-bb36-2ccc8c1ab5cf"></maml:uri></maml:navigationLink>, <maml:navigationLink><maml:linkText>Export a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=9936f79e-567a-4a65-8b23-43b7d35e9122"></maml:uri></maml:navigationLink>, and <maml:navigationLink><maml:linkText>Export a Certificate with the Private Key</maml:linkText><maml:uri href="mshelp://windows/?id=66730f06-9190-4eb1-bf08-88c79f4a0a23"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>What is the Certificates Snap-in?</maml:title><maml:introduction>
<maml:para>The Certificates snap-in is the primary tool for users and administrators to view and manage certificates for a user, computer, or service. </maml:para>
<maml:para>The Certificates snap-in allows the user to request, renew, find, view, move, copy, and delete certificates.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Why use the Certificates snap-in</maml:title><maml:introduction>
<maml:para>The Certificates snap-in is a versatile tool for managing certificates for a user, computer, or service. It can be used to find out what certificates are stored on a computer, where they are stored, or the configuration options for those certificates.</maml:para>
<maml:para>In addition, using the Certificates snap-in, the user can launch wizards that simplify the tasks of:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Enrolling for new certificates</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Renewing existing certificates</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Finding certificates</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Importing certificates</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Exporting or backing up certificates</maml:para>
</maml:listItem>
</maml:list>
<maml:para>In most cases, users do not have to personally manage their certificates and their certificate stores. That can be accomplished by administrators, by policy settings, and through programs that use certificates.</maml:para>
<maml:para>Administrators are the primary users of the Certificates snap-in and, as such, they are able to perform a wide variety of certificate management tasks in their personal certificate store as well as the certificate stores for any computer or service that they have the right to administer. Users can only manage certificates in their personal store.</maml:para>
<maml:para>For information about certificates and how to use the Certificates snap-in, see the following topics:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificates Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ba6554ca-f33f-4dd3-beff-bd602018dcc5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=6f574ad3-c4e6-431c-b668-448e9111253b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Troubleshoot Certificate-Related Problems</maml:linkText><maml:uri href="mshelp://windows/?id=7f0267d1-a209-42fd-bdcb-3bf006f7d6c1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Resources for Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=64e30de7-088f-4e77-9a69-d2b940b1777f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Modify the Properties of a Certificate</maml:title><maml:introduction>
<maml:para>You can modify the properties of a certificate for a number of reasons:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Adding or modifying a display name to help differentiate it from other similar certificates.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Changing the purpose of the certificate by adding or disabling purposes.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Specifying cross-certificate download locations.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To modify the properties of a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under the logical store that contains the certificate to modify, click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the certificate that you want to modify.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Make the desired changes:</maml:para>
<maml:list class="ordered">
<maml:listItem>
<maml:para>To change the display name of the certificate, in <maml:ui>Friendly name</maml:ui>, type the new name.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To change the description of the certificate, in <maml:ui>Description</maml:ui>, type the new description.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To enable all available purposes for the certificate, in <maml:ui>Certificate purposes</maml:ui>, click <maml:ui>Enable all purposes for this certificate</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To disable all available purposes for the certificate, in <maml:ui>Certificate purposes</maml:ui>, click <maml:ui>Disable all purposes for this certificate</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To designate specific purposes for the certificate, in <maml:ui>Certificate purposes</maml:ui>, click <maml:ui>Enable only the following purposes</maml:ui>, and select the appropriate check boxes.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To modify cross-certificate properties, click the <maml:ui>Cross-Certificates</maml:ui> tab, click <maml:ui>Specify additional Cross-Certificate download locations</maml:ui>, enter the URL where the cross-certificates can be obtained, and click <maml:ui>Add URL</maml:ui>. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Click <maml:ui>OK</maml:ui> to accept all changes.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Save a Certificate Request in a File</maml:title><maml:introduction>
<maml:para>You can prepare a certificate request for use later, or to retain a copy of the request even if it is processed at the same time as it is saved.</maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic. </maml:para>
<maml:procedure><maml:title>To save a certificate request in a PKCS #10 or CMC file</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open a Web browser. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open http://<maml:replaceable>servername</maml:replaceable>/certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the Web server hosting the certification authority (CA) Web enrollment pages. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Request a certificate</maml:ui>, and under <maml:ui>Advanced certificate request</maml:ui>, click <maml:ui>Create and submit a request to this CA</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Enter any identifying information requested and any other options you require.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Additional Options</maml:ui>, select the file format you want to use.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Full path name</maml:ui>, type a path and file name.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Submit</maml:ui>. The file is saved to your computer's desktop.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you are finished using the Web enrollment pages, close the Web browser. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The component that enables Web enrollment in this version of Windows is different from the component that enables Web enrollment in Windows Server 2003 and Windows XP. Windows Server 2003 CA Web enrollment pages must be updated to support computers running Windows Vista or Windows 7 operating systems. For more information, see the Microsoft Help and Support Web site (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=85331</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=85331"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request Certificates by Using the Certificate Request Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=68354d8a-1cc2-491b-8352-053e133dcd2b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Renew a Certificate with the Same Key</maml:title><maml:introduction>
<maml:para>Renewing a certificate with the same key provides maximum compatibility with past uses of the accompanying key pair, but it does not enhance the security of the certificate and key pair. </maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To renew a certificate with the same key</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, expand the <maml:ui>Personal</maml:ui> store, and click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, select the certificate that you are renewing.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, point to <maml:ui>Advanced Operations</maml:ui>, and then click <maml:ui>Renew this certificate with the same key</maml:ui> to start the Certificate Renewal Wizard.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If more than one certificate is listed in the <maml:ui>Request Certificates</maml:ui> window, select the certificate that you want to renew. Do one of the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Use the default values to renew the certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Click <maml:ui>Details</maml:ui>, and then click <maml:ui>Properties</maml:ui> to provide your own certificate renewal settings. You need to know the certification authority (CA) issuing the certificate.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Enroll</maml:ui>. After the Certificate Renewal Wizard has successfully finished, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Once renewed, the old certificate will be archived. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You can use this procedure to request certificates from an enterprise CA only. To request certificates from a stand-alone CA, you need to request certificates by using Web pages. The Web pages for a Windows-based CA are located at http://<maml:replaceable>servername</maml:replaceable>/certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the server that hosts the CA.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Hash Algorithms</maml:title><maml:introduction>
<maml:para>A hash algorithm is an algorithm that produces a hash value of a piece of data, such as a message or session key. With a good hash algorithm, changes in the input data can alter every bit in the resulting hash value. For this reason, hashes are useful in detecting any modification in a data object, such as a message. Furthermore, a good hash algorithm makes it computationally infeasible to construct two independent inputs that have the same hash. Typical hash algorithms include MD5, SHA-1, and SHA-256.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Details Tab</maml:linkText><maml:uri href="mshelp://windows/?id=74f6e625-e656-41ff-af86-96eb2950c4c7"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certification Path Tab</maml:title><maml:introduction>
<maml:para>Using the <maml:ui>Certification Path</maml:ui> tab, you can view the path from the selected certificate to the certification authorities (CAs) that issue the certificate. </maml:para>
<maml:para>Before a certificate is trusted, Windows must verify that the certificate comes from a trusted source. This verification process is called path validation. </maml:para>
<maml:para>Path validation involves processing public key certificates and their issuer certificates in a hierarchical fashion until the certification path terminates at a trusted, self-signed certificate. Typically, this is a root CA certificate. If there is a problem with one of the certificates in the path, or if it cannot find a certificate, the certification path is considered a non-trusted certification path.</maml:para>
<maml:para>A typical certification path includes a root certificate and one or more intermediate certificates. By clicking <maml:ui>View Certificate</maml:ui>, you can also learn more about the certificates for each CA in the path.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>View Certificate Information</maml:linkText><maml:uri href="mshelp://windows/?id=93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Subject Names</maml:title><maml:introduction>
<maml:para>The holder of the private key associated with a certificate is known as the subject. This can be a user, a program, or virtually any object, computer, or service. </maml:para>
<maml:para>Because the subject name can vary greatly depending on who or what the subject is, some flexibility is needed when providing the subject name in the certificate request. Windows can build the subject name automatically from subject information stored in Active Directory Domain Services (AD DS) or the subject name can be supplied manually by the subject (for example, by using certificate enrollment Web pages to create and submit a certificate request). </maml:para>
<maml:para>Enterprise certification authorities (CAs) include the Certificate Templates snap-in to configure certificate templates. Use the <maml:ui>Subject Name</maml:ui> tab on the certificate template properties sheet to configure subject name options.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Supply in the request</maml:title>
<maml:introduction><maml:para>When the <maml:ui>Supply in the request</maml:ui> option is selected, the <maml:ui>Use subject information from existing certificates for autoenrollment renewal requests</maml:ui> option is available to simplify the task of adding the subject name to the certificate renewal request and to allow computer certificates to be renewed automatically. Subject information from existing certificates is not used for automatic renewal of user certificates.</maml:para>
<maml:para>The <maml:ui>Use subject information from existing certificates for autoenrollment renewal requests</maml:ui> option causes the certificate enrollment client to read subject name and subject alternative name information from an existing computer certificate based on the same certificate template when creating renewal requests automatically or using the Certificates snap-in. This applies to computer certificates that are expired, revoked, or within their renewal period.</maml:para>
</maml:introduction></maml:section><maml:section><maml:title>Build from AD DS</maml:title><maml:introduction>
<maml:para>When the <maml:ui>Build from this Active Directory information</maml:ui> option is selected, the following additional options can be configured.</maml:para>
<maml:table><maml:title>Subject name format</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader><maml:row><maml:entry><maml:para><maml:ui>Common name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>The CA creates the subject name from the common name (CN) obtained from AD DS. This should be unique within a domain but might not be unique within an enterprise.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Fully distinguished name (DN)</maml:ui></maml:para></maml:entry><maml:entry><maml:para>The CA creates the subject name from the fully distinguished name obtained from AD DS. This ensures that the name is unique within an enterprise.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Include e-mail name in subject name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>If the E-mail name field is populated in the Active Directory user object, this e-mail name will be included with either the common name or fully distinguished name as part of the subject name.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>None</maml:ui></maml:para></maml:entry><maml:entry><maml:para>A name value is not required for this certificate.</maml:para></maml:entry></maml:row></maml:table>
<maml:table><maml:title>Include this information in alternate subject name</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para><maml:ui>E-mail name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>If the E-mail name field is populated in the Active Directory user object, this e-mail name will be used.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>DNS name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>This is the fully qualified domain name (FQDN) of the subject that requested the certificate. This is most frequently used in computer certificates.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>User principal name (UPN)</maml:ui></maml:para></maml:entry><maml:entry><maml:para>The user principal name is part of the Active Directory user object and will be used.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Service principal name (SPN)</maml:ui></maml:para></maml:entry><maml:entry><maml:para>The service principal name is part of the Active Directory computer object and will be used.</maml:para></maml:entry></maml:row></maml:table>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Obtain a Certificate</maml:title><maml:introduction>
<maml:para>To enroll for a certificate, a certificate request must be made by the user, computer, or service that has access to the private key associated with the public key that will be part of the certificate. Users, computers, and services can autoenroll for certificates without user intervention, depending upon the public key policies established by your system administrator. </maml:para>
<maml:para>Users can also obtain certificates by:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Initiating autoenrollment from the Certificates snap-in.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Requesting certificates by using the Certificate Request Wizard.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Requesting a certificate over the Web.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>In addition, administrators can request smart card user certificates and smart card certificates for logging on to the system on behalf of other users by using their enrollment agent certificate.</maml:para>
<maml:para>The following topics contain procedures to use for obtaining certificates:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Autoenroll for a Certificate from the Certificates Snap-in</maml:linkText><maml:uri href="mshelp://windows/?id=c2c2b497-274e-490f-935e-e8046f00e57d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request Certificates by Using the Certificate Request Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=68354d8a-1cc2-491b-8352-053e133dcd2b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate Over the Web</maml:linkText><maml:uri href="mshelp://windows/?id=e06a5b6b-f864-49cc-85f4-f4870fac5559"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Enroll for Certificates on Behalf of Other Users</maml:linkText><maml:uri href="mshelp://windows/?id=211b51a2-999a-43c0-86ac-92a32cbe1dd2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=6f574ad3-c4e6-431c-b668-448e9111253b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Renew a Certificate</maml:title><maml:introduction>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction><maml:para>Every certificate has a validity period. After the end of the validity period, the certificate is no longer considered an acceptable or usable credential. The Certificates snap-in enables you to renew a certificate issued from a Windows enterprise certification authority (CA) before or after the end of its validity period by using the Certificate Renewal Wizard. </maml:para>
<maml:para>You can either renew the certificate with the same key set that you used before, or you can renew a certificate with a new key set. This decision can be based on a number of factors, including the lifetime of the certificate, the length of the existing or future key, the value of the data protected by the key pair, and the possibility that a private key has been obtained by a malicious user.</maml:para>
<maml:para>Before you renew a certificate, you need to know:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The issuing CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) If you want a new public key and private key pair for the certificate, the cryptographic service provider (CSP) that should be used to generate the key pair.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>Windows provides an expiration notification to let you know that specific user or computer certificates have expired or are about to expire. In most cases, autoenrollment will automatically renew these certificates the next time you are connected to the network and log on to the computer.</maml:para>
<maml:para>The following topics contain procedures to use for renewing certificates:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Renew a Certificate with a New Key</maml:linkText><maml:uri href="mshelp://windows/?id=23855705-69c5-4d71-90f5-8f6718df840c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Renew a Certificate with the Same Key</maml:linkText><maml:uri href="mshelp://windows/?id=3eefd65f-6591-4062-8759-4fd208e9b9d1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
<maml:para>In addition, you can renew certificates issued from both Windows enterprise CAs and Windows stand-alone CAs with the CA Web enrollment pages by pasting the contents of a PKCS #7 file. For more information, see the following topic:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate by Using a PKCS #10 or PKCS #7 File</maml:linkText><maml:uri href="mshelp://windows/?id=13391cab-ada5-43f8-9f5d-b61e0abdc66d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can be managed only by an administrator or a user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Properties Cross-Certificates Tab</maml:title><maml:introduction>
<maml:para>Cross-certificates are used to establish trust between separate certification hierarchies, such as in separate networks or portions of a network. In these cases, cross-certificates are typically configured to: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Define the namespaces for which certificates issued in one certification hierarchy can be used and accepted in the second hierarchy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Specify the acceptable uses of certificates issued by a cross-certified certification authority (CA).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Define the issuance practices that must be followed for a certificate issued by the cross-certified CA in order for them to be considered valid in the other hierarchy.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Create a managed trust between separate certification hierarchies.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>The <maml:ui>Cross-Certificates</maml:ui> tab can be used to add cross-certificate download locations. </maml:para>
<maml:para>When cross-certificates are used, the information on the <maml:ui>Cross-Certificates</maml:ui> tab describes which of these types of restrictions, if any, have been applied.</maml:para>
<maml:para>Cross-certificates can be used in both intranet and extranet environments. </maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>View Certificate Properties</maml:linkText><maml:uri href="mshelp://windows/?id=67ca7b60-9ba5-401b-876e-fe8ee384b9ec"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Revocation Checking Policy</maml:title><maml:introduction>
<maml:para>Revocation of a certificate invalidates a certificate as a trusted security credential prior to the scheduled expiration of its validity period. A public key infrastructure (PKI) depends on distributed verification of credentials in which there is no need for direct communication with the central trusted entity that vouches for the credentials. </maml:para>
<maml:para>To effectively support certificate revocation, the client computer must determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Active Directory Certificate Services supports industry-standard methods of certificate revocation. These include publication of certificate revocation lists (CRLs) and delta CRLs in several locations for clients to access, including Active Directory Domain Services, Web servers, and network file shares. In Windows, revocation data can also be made available in a variety of settings through Online Certificate Status Protocol (OCSP) responses.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>CRLs are published to specified network locations on a periodic basis where they can be downloaded by client computers. OCSP responses are digitally signed responses indicating whether an individual certificate has been revoked or suspended, or if its status is unknown. OCSP responders get their data from published CRLs, or they can be updated directly from the certificate status database of a certification authority (CA). </maml:para>
</maml:alertSet>
<maml:para>In addition, public key Group Policy allows administrators to enhance the use of CRLs and OCSP responders, particularly in situations where extremely large CRLs or network conditions detract from performance.</maml:para>
<maml:para>This topic includes procedures for the following tasks:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring revocation settings on a local computer</maml:linkText><maml:uri href="mshelp://windows/?id=58107cc5-aedf-4212-9568-2dfe1a0b1452#BKMK_Rev_Local"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring revocation settings for a domain</maml:linkText><maml:uri href="mshelp://windows/?id=58107cc5-aedf-4212-9568-2dfe1a0b1452#BKMK_Rev_Domain"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Extending the validity period for CRL and OCSP responses for a local computer</maml:linkText><maml:uri href="mshelp://windows/?id=58107cc5-aedf-4212-9568-2dfe1a0b1452#BKMK_Valid_Local"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Extending the validity period for CRL and OCSP responses for a domain</maml:linkText><maml:uri href="mshelp://windows/?id=58107cc5-aedf-4212-9568-2dfe1a0b1452#BKMK_Extend_Domain"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections><maml:section address="BKMK_Rev_Local"><maml:title>Configuring revocation settings on a local computer</maml:title>
<maml:introduction><maml:para><maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To configure revocation settings on a local computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>gpedit.msc</maml:userInput> in the <maml:ui>Search programs and files</maml:ui> box, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Local Computer Policy\Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Revocation</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings</maml:ui> check box, select the policy settings that you want to apply, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section address="BKMK_Rev_Domain"><maml:title>Configuring revocation settings for a domain</maml:title>
<maml:introduction><maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To configure revocation settings for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and click <maml:ui>Server Manager</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>. Select the <maml:ui>Group Policy Management</maml:ui> check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the <maml:ui>Installation Results </maml:ui>page shows that the installation of the Group Policy Management Console (GPMC) was successful, click <maml:ui>Close</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> Group Policy object (GPO) that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Revocation</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings</maml:ui> check box, select the policy settings that you want to apply, and then click <maml:ui>OK </maml:ui>to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure></maml:introduction></maml:section><maml:section address="BKMK_Valid_Local"><maml:title>Extending the validity period for CRL and OCSP responses for a local computer</maml:title>
<maml:introduction><maml:para><maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To extend the validity period for CRL and OCSP responses for a local computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>gpedit.msc</maml:userInput> in the <maml:ui>Search programs and files</maml:ui> box, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Local Computer Policy\Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Revocation </maml:ui>tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings</maml:ui> check box, and then select the <maml:ui>Allow CRL and OCSP responses to be valid longer than their lifetime</maml:ui> check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Default time the validity period can be extended </maml:ui>box, enter a value of time (in hours), and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure></maml:introduction></maml:section><maml:section address="BKMK_Extend_Domain"><maml:title>Extending the validity period for CRL and OCSP responses for a domain</maml:title>
<maml:introduction><maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To extend the validity period for CRL and OCSP responses for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and click <maml:ui>Server Manager</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>. Select the <maml:ui>Group Policy Management</maml:ui> check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the <maml:ui>Installation Results </maml:ui>page shows that the installation of the GPMC was successful, click <maml:ui>Close</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> GPO that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Revocation </maml:ui>tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings</maml:ui> check box, and then select the <maml:ui>Allow CRL and OCSP responses to be valid longer than their lifetime</maml:ui> check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the <maml:ui>Default time the validity period can be extended</maml:ui> box, enter a value of time (in hours), and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Path Validation</maml:linkText><maml:uri href="mshelp://windows/?id=219dca64-eb32-4f48-8083-8a6c3dbaf237"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificates</maml:title><maml:introduction>
<maml:para>The role of digital certificates is growing rapidly on individual computers and networks and across the Internet. Although certificates can be used with little or no user intervention, it can also be important to view and understand certificate contents, and to manage their use. You can accomplish these goals by using the Certificates snap-in.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>What is the Certificates Snap-in?</maml:linkText><maml:uri href="mshelp://windows/?id=355962c2-4f6b-4cbd-ab00-6e7ee4dddc16"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificates Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ba6554ca-f33f-4dd3-beff-bd602018dcc5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Manage Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=6f574ad3-c4e6-431c-b668-448e9111253b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Troubleshoot Certificate-Related Problems</maml:linkText><maml:uri href="mshelp://windows/?id=7f0267d1-a209-42fd-bdcb-3bf006f7d6c1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Resources for Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=64e30de7-088f-4e77-9a69-d2b940b1777f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Encrypting File System (EFS)</maml:title><maml:introduction>
<maml:para>Encrypting File System (EFS) is a core file encryption technology used to store encrypted files on NTFS file system volumes. Encrypted files cannot be used unless the user has access to the keys required to decrypt the information.</maml:para>
<maml:para>You do not have to manually decrypt an encrypted file before you can use it. You can open and change the file as you normally do. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other file or folder.</maml:para>
<maml:para>Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. If the intruder tries to open or copy your encrypted file or folder, he or she receives an access denied message. Permissions on files and folders do not protect against unauthorized physical attacks.</maml:para>
<maml:para>You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. We recommend that you encrypt at the folder level.</maml:para>
<maml:para>You can also encrypt or decrypt a file or folder by using the Cipher command. </maml:para>
<maml:para>When you work with encrypted files and folders, consider the following information:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Only files and folders on NTFS volumes can be encrypted. However, you can use Web distributed authoring and versioning (WebDAV), which also works with NTFS, to transfer files in encrypted form.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Files or folders that are compressed cannot also be encrypted. If the user marks a file or folder for encryption, that file or folder will be uncompressed.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Encrypted files are decrypted if you copy or move the file to a volume that is not an NTFS volume.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Moving unencrypted files into an encrypted folder will automatically cause those files to be encrypted in the new folder. However, the reverse operation will not automatically decrypt files. Files must be explicitly decrypted.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Files marked with the System attribute cannot be encrypted, nor can files in the system root directory structure.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Encrypting a folder or file does not protect against the deletion or listing of files or directories. Anyone with the appropriate permissions can delete or list encrypted folders or files. For this reason, using EFS in combination with NTFS permissions is recommended.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption, but the data that is transmitted over the network by this process is not encrypted. Other protocols, such as Secure Socket Layer/Transport Layer Security (SSL/TLS) or Internet Protocol security (IPsec) must be used to encrypt data while it is in transmission over the network. (You can also use WebDAV, as described in the first bullet point, to transmit the file in encrypted form.)</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>EFS policy settings</maml:title><maml:introduction>
<maml:para>You can use Group Policy to configure a number of EFS policy settings. These policy settings are located in <maml:ui>Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System</maml:ui>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Allow or disallow EFS</maml:title><maml:introduction>
<maml:para>You can choose to allow or disallow the use of EFS altogether. If you do not configure any policy settings for EFS, it is allowed.</maml:para>
<maml:para>If you choose to allow EFS, you can also select a number of options, such as whether to automatically encrypt a user's Documents folder, to require a smart card for use with EFS, to cache keys created based on a smart card, to create a caching-capable user key from a smart card, or to notify users to make backup copies of their encryption keys.</maml:para>
</maml:introduction></maml:section>
<maml:section><maml:title>Allow or disallow Elliptic Curve Cryptography encryption</maml:title><maml:introduction>
<maml:para>You can choose to allow or disallow the use of Elliptic Curve Cryptography (ECC) encryption with EFS. If you do not configure any policy settings for EFS, ECC encryption is allowed. ECC encryption enables organization to be compliant with Suite B encryption standards.</maml:para>
<maml:para>Suite B is a set of cryptographic algorithms. Suite B's components are: Advanced Encryption Standard (AES) with key sizes of 128 and 256 bits for symmetric encryption, Elliptic Curve Digital Signature Algorithm (ECDSA) for digital signatures, Elliptic Curve Diffie-Hellman (ECDH) for key agreement, and Secure Hash Algorithm (SHA-256 and SHA-384) for message digest.</maml:para>
</maml:introduction></maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Request a Certificate</maml:title><maml:introduction>
<maml:para>You can use the Certificates snap-in to request certificates. You can request any type of certificate that has been preconfigured and made available by an administrator of the certification authority (CA) that will process the certificate request. </maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To request a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user or computer.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificates - Current User </maml:ui>or<maml:ui> Certificates (Local Computer)</maml:ui>. Select the <maml:ui>Personal </maml:ui>certificate store.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Request New Certificate</maml:ui> to start the Certificate Enrollment wizard. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the types of certificates that you want to request. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>You can click <maml:ui>Details</maml:ui> to review additional information about each certificate. </maml:para>
<maml:para>If a caution symbol appears below the certificate, you might need to provide additional information before requesting that type of certificate. Click the <maml:ui>More information is required to enroll for this certificate. Click here to configure</maml:ui> message and provide the requested information, such as a subject name or the location of a valid signing certificate.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To finish, click <maml:ui>Enroll</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You can use this procedure to request certificates from an enterprise CA only. To request certificates from a stand-alone CA, you need to request certificates by using Web pages. The Web page for a Windows-based CA is located at http://<maml:replaceable>servername</maml:replaceable>/certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the server hosting the CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the requested certificate type requires approval before it is issued, you need to retrieve the completed certificate via Web pages. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In order to request a Digital Signature Standard (DSS) certificate from an enterprise CA, you must select the User Signature Only certificate template in the Certificate Request Wizard.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Subject Names</maml:linkText><maml:uri href="mshelp://windows/?id=4a9be825-e97d-4b0c-8b7b-a1f74a816619"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Extensions</maml:linkText><maml:uri href="mshelp://windows/?id=31cae6ad-5e3b-4eee-923e-11683014c320"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Cryptographic Service Providers</maml:linkText><maml:uri href="mshelp://windows/?id=934bccbb-a2f1-44b0-b725-e410ab613f59"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Guidelines for Using Alternate Signature Formats</maml:linkText><maml:uri href="mshelp://windows/?id=0cd73166-999e-4d69-8c99-41a510cc9c6d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Enrollment Policy Servers</maml:title><maml:introduction>
<maml:para>Certificate enrollment policy provides the locations of certification authorities (CAs) and the types of certificates that can be requested. Organizations that are using Active Directory Domain Services (AD DS) can use Group Policy to provide certificate enrollment policy to domain members by using the Group Policy Management Console to configure the certificate enrollment policy settings. The Certificates snap-in can be used to configure certificate enrollment policy settings for individual client computers unless the Group Policy setting is configured to disable user-configured enrollment policy.</maml:para>
<maml:para>Use the following procedures to configure certificate enrollment policy settings:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Manage Certificate Enrollment Policy by Using Group Policy</maml:linkText><maml:uri href="mshelp://windows/?id=d641377f-de00-4342-b15f-4879a3859ded"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Manage Certificate Enrollment Policy by Using the Certificates Snap-in</maml:linkText><maml:uri href="mshelp://windows/?id=18bc3367-d4b1-4309-b9ed-db68dcb817bb"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>View Certificate Revocation List Details</maml:title><maml:introduction>
<maml:para>Certificate revocation lists (CRLs) are used to distribute information about revoked certificates to individuals, computers, and applications attempting to verify the validity of certificates. </maml:para>
<maml:para>The <maml:ui>Revocation List </maml:ui>tab lists the serial numbers of certificates that have been revoked and the date they were revoked. The <maml:ui>Revocation entry</maml:ui> field may also provide information about the reason a certificate was revoked.</maml:para>
<maml:para>The <maml:ui>General</maml:ui> tab provides additional information about the CRL itself, including the CA that issued the CRL, when the CRL was issued, the date the next CRL will be issued, and the name of the CRL distribution point. </maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para><maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>View Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=ba0c1c06-47d1-4038-9189-294508e72c3b"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Resources for Certificates</maml:title><maml:introduction>
<maml:para>For more information about certificates, see Active Directory Certificate Services (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=143356</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=143356"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Export a Certificate with the Private Key</maml:title><maml:introduction>
<maml:para>In some cases, you may want to export a certificate with its private key to store on removable media or to use on a different computer. There are some restrictions to this procedure:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>A private key is exportable only when it is specified in the certificate request or certificate template that was used to create the certificate.</maml:para></maml:listItem>
<maml:listItem>
<maml:para>Strong protection (also known as <maml:replaceable>iteration count</maml:replaceable>) is enabled by default in the Certificate Export Wizard when you export a certificate with its associated private key. Strong protection is not compatible with some programs, so you should clear the <maml:ui>Enable strong protection</maml:ui> check box if you will use the private key with any program that does not support strong protection.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To export a certificate with the private key</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under the logical store that contains the certificate to export, click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the certificate that you want to export.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Export</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Certificate Export Wizard, click <maml:ui>Yes, export the private key</maml:ui>. (This option will appear only if the private key is marked as exportable and you have access to the private key.)</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Export File Format</maml:ui>, do any of the following, and then click <maml:ui>Next</maml:ui>.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To include all certificates in the certification path, select the <maml:ui>Include all certificates in the certification path if possible</maml:ui> check box.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To delete the private key if the export is successful, select the <maml:ui>Delete the private key if the export is successful</maml:ui> check box.</maml:para>
</maml:listItem>
<maml:listItem><maml:para>To export the certificate's extended properties, select the <maml:ui>Export all extended properties</maml:ui> check box.</maml:para></maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Password</maml:ui>, type a password to encrypt the private key you are exporting. In <maml:ui>Confirm password</maml:ui>, type the same password again, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>File name</maml:ui>, type a file name and path for the PKCS #12 file that will store the exported certificate and private key. Click <maml:ui>Next</maml:ui>, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para>After the Certificate Export Wizard is finished, the certificate will remain in the certificate store in addition to being in the newly created file. If you want to remove the certificate from the certificate store, you will need to delete it.</maml:para>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add the Certificates Snap-in to an MMC</maml:title><maml:introduction>
<maml:para>You can use the Certificates snap-in to manage certificates for a user, computer, or service account. To switch between managing certificates for your user account, a computer, or a service, you must add separate instances of the Certificates snap-in to the console. </maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>For a user account</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99#BKMK_user"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>For a computer account</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99#BKMK_computer"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>For a service</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99#BKMK_service"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section address="BKMK_user"><maml:title></maml:title><maml:introduction>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic. </maml:para>
<maml:procedure><maml:title>To add the Certificates snap-in to an MMC for a user account</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:computerOutputInline>mmc</maml:computerOutputInline> in the <maml:ui>Search programs and files</maml:ui> box, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certificates</maml:ui>, and then: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If you are logged on as an administrator, click <maml:ui>My user account</maml:ui>, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you are logged on as a user, the Certificates snap-in automatically opens.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you have no more snap-ins to add to the console, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To save this console, on the <maml:ui>File</maml:ui> menu, click <maml:ui>Save</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_computer"><maml:title></maml:title><maml:introduction>
<maml:para>Local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic. </maml:para>
<maml:procedure><maml:title>To add the Certificates snap-in to an MMC for a computer account</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:computerOutputInline>mmc</maml:computerOutputInline> in the <maml:ui>Search programs and files</maml:ui> box, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select <maml:ui>Computer account</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do one of the following: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To manage certificates for the local computer, click <maml:ui>Local computer</maml:ui>, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To manage certificates for a remote computer, click <maml:ui>Another computer</maml:ui>, and then type the name of the computer, or click <maml:ui>Browse</maml:ui> to select the computer name, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you have no more snap-ins to add to the console, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To save this console, on the <maml:ui>File</maml:ui> menu, click <maml:ui>Save</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To manage certificates for another computer, you can either create another instance of the Certificates snap-in, or right-click <maml:ui>Certificates (Computer Name)</maml:ui>, and then click <maml:ui>Connect to Another Computer</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
<maml:section address="BKMK_service"><maml:title></maml:title><maml:introduction>
<maml:para>Local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic. </maml:para>
<maml:procedure><maml:title>To add the Certificates snap-in to an MMC for a service</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:computerOutputInline>mmc</maml:computerOutputInline> in the <maml:ui>Search programs and files</maml:ui> box, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Available snap-ins</maml:ui>, double-click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select <maml:ui>Service account</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do one of the following: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To manage certificates for services on your local computer, click <maml:ui>Local computer</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To manage certificates for service on a remote computer, click <maml:ui>Another computer</maml:ui>, and then type the name of the computer, or click <maml:ui>Browse</maml:ui> to select the computer name, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the service for which you are managing certificates.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Finish</maml:ui>, and then click <maml:ui>Close</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you have no more snap-ins to add to the console, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To save this console, on the <maml:ui>File</maml:ui> menu, click <maml:ui>Save</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To manage certificates for a service on another computer, you can either create another instance of the Certificates snap-in, or right-click <maml:ui>Certificates - Service (Service Name) on Computer Name</maml:ui>, and then click <maml:ui>Connect to Another Computer</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>View Certificate Properties</maml:title><maml:introduction>
<maml:para>The <maml:ui>Certificate Properties</maml:ui> dialog box displays certificate property values on four tabs.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Properties General Tab</maml:linkText><maml:uri href="mshelp://windows/?id=870fd126-5c68-4ecb-ab8a-a255370e9d9f"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Properties Cross-Certificates Tab</maml:linkText><maml:uri href="mshelp://windows/?id=532adf18-b09e-416b-a966-ca74ee11aa38"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Properties OCSP Tab</maml:linkText><maml:uri href="mshelp://windows/?id=0b14470f-97ed-43b5-8b3e-717ed832e2b3"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Properties Extended Validation Tab</maml:linkText><maml:uri href="mshelp://windows/?id=1403e7d1-3200-41f2-8d69-be89f4f6f140"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Import a Certificate</maml:title><maml:introduction>
<maml:para>You should only import certificates obtained from trusted sources. Importing an unreliable certificate could compromise the security of any system component that uses the imported certificate.</maml:para>
<maml:para>You can import a certificate into any logical or physical store. In most cases, you will import certificates into the Personal store or the Trusted Root Certification Authorities store, depending on whether the certificate is intended for you or if it is a root certification authority (CA) certificate.</maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To import a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the logical store where you want to import the certificate.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Import</maml:ui> to start the Certificate Import Wizard.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Type the file name containing the certificate to be imported. (You can also click <maml:ui>Browse</maml:ui> and navigate to the file.)</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If it is a PKCS #12 file, do the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Type the password used to encrypt the private key.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) If you want to be able to use strong private key protection, select the <maml:ui>Enable strong private key protection</maml:ui> check box.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) If you want to back up or transport your keys at a later time, select the <maml:ui>Mark key as exportable</maml:ui> check box.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do one of the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the certificate should be automatically placed in a certificate store based on the type of certificate, click <maml:ui>Automatically select the certificate store based on the type of certificate</maml:ui>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you want to specify where the certificate is stored, select <maml:ui>Place all certificates in the following store</maml:ui>, click <maml:ui>Browse</maml:ui>, and choose the certificate store to use.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enabling strong private key protection will ensure that you are prompted for a password every time the private key is used. This is useful if you want to make sure that the private key is not used without your knowledge.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The file from which you import certificates will remain intact after you have completed importing the certificates. You can use Windows Explorer to delete the file if it is no longer needed.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Request Certificates by Using the Certificate Request Wizard</maml:title><maml:introduction>
<maml:para>When you request certificates from a Windows-based enterprise certification authority (CA), you can use the Certificate Request Wizard located in the Certificates snap-in. This wizard guides you through the following steps:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Selecting the CA to which you will submit the request.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Selecting the appropriate certificate template to use for the new certificate. </maml:para>
<maml:para>Certificate templates are predefined configurations that provide common settings for the certificate request. Certificate templates describe the purpose for which the requested certificate is to be used. The list of certificate templates that is available to you is determined by the certificate types that the CA is configured to issue and whether you have been granted the access rights to the certificate template by the system administrator. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>(Optional) Using <maml:ui>Advanced Options</maml:ui> in the Certificate Request Wizard to select the cryptographic service provider (CSP) for the key pair associated with the certificate request. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>For instructions about opening and using the Certificate Request Wizard, see <maml:navigationLink><maml:linkText>Request a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=61e3ea01-7b38-4ba8-a201-40ce9ba33f2c"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>You can also use the Certificate Request Wizard to request a new certificate from an enterprise CA by using an existing key pair that is already associated with another certificate. </maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=61e3ea01-7b38-4ba8-a201-40ce9ba33f2c"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Create a Custom Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=8e6b017b-1658-4171-a18c-3d10fefed477"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Save a Certificate Request in a File</maml:linkText><maml:uri href="mshelp://windows/?id=3de3286a-efd8-4afc-8878-7a034355d90e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Sign Certificate Requests</maml:linkText><maml:uri href="mshelp://windows/?id=257877c3-707d-4681-8648-28dbc6d36cfb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Obtain a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=4ecbce82-4636-44a0-93ca-b664a186d22e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Automate Certificate Management</maml:title><maml:introduction>
<maml:para>Managing certificates individually can be a laborious, if not impossible, task. Many organizations will manage certificates by using Group Policy settings configured on a server and applied to client computers in a domain, group, or organizational unit. The following options can be viewed on a client computer, although they are typically configured on a server.</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Credential Roaming</maml:linkText><maml:uri href="mshelp://windows/?id=23654ad1-27f9-4a60-9a8a-d99728764562"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Path Validation</maml:linkText><maml:uri href="mshelp://windows/?id=219dca64-eb32-4f48-8083-8a6c3dbaf237"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Display Certificates by Certificate Purpose</maml:title><maml:introduction>
<maml:para>You can view and inspect certificates based on what they are intended to be used for, such as client authentication or key recovery, rather than on their logical roles.</maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To display certificates by certificate purpose</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificates - Current User </maml:ui>, <maml:ui> Certificates (Local Computer)</maml:ui>, or <maml:ui>Certificates - Service</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>View</maml:ui> menu, click <maml:ui>Options</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Organize view mode by</maml:ui>, click <maml:ui>Certificate purpose</maml:ui>, and then click <maml:ui>OK</maml:ui>. The <maml:ui>Intended Purposes</maml:ui> column heading will appear in the details pane.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para> To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Display Certificate Stores</maml:linkText><maml:uri href="mshelp://windows/?id=2e9e43a1-5201-41c3-9cdc-4da37713d37a"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Certificates</maml:title><maml:introduction>
<maml:para>Certificates are typically issued to a particular computer, user, or service, for specific purposes, for specific durations, and often for specific recipients. As a result, at times you might need to obtain additional certificates, renew existing certificates, examine or modify the properties of a certificate, or move certificates. Although many of these tasks can be performed for a single user, computer, or service, other tasks are best performed automatically by an administrator from a server. The following sections describe common certificate management tasks and the procedure to complete them.</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Obtain a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=4ecbce82-4636-44a0-93ca-b664a186d22e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Renew a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=4f9464fd-0968-4ce2-abc9-449008403225"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>View Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=ba0c1c06-47d1-4038-9189-294508e72c3b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Modify the Properties of a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=3c7f161a-96d9-4ed1-9050-5279bd6a0c49"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Delete a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=f6cda72d-99fb-4874-85ec-a2b4495493e8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Find Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=f6004c40-2b76-4231-895b-dbdc109989a2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Move Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=34bc986a-a55c-4d4d-a073-cfad924b1187"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Automate Certificate Management</maml:linkText><maml:uri href="mshelp://windows/?id=69631784-438c-435a-be35-5ee1e1353c4d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Network Retrieval and Path Validation</maml:title><maml:introduction>
<maml:para>To be effective, certificate-related data such as trusted root certificates, cross- certificates, and certificate revocation lists (CRLs) must be updated in a timely manner. Network retrieval and path validation settings allow administrators to:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Automatically update certificates in the Microsoft Root Certificate Program.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Configure retrieval timeout values for CRLs and path validation (larger default values may be useful if network conditions are not optimal).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Enable issuer certificate retrieval during path validation.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Define how frequently cross-certificates are downloaded.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>This topic includes procedures for the following tasks:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Increasing the retrieval timeout option for large CRLs for a local computer</maml:linkText><maml:uri href="mshelp://windows/?id=70588c7b-c9ba-425f-84e9-d4fe44f6e294#BKMK_CRL_Timeout_Local"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Increasing the retrieval timeout option for large CRLs for a domain</maml:linkText><maml:uri href="mshelp://windows/?id=70588c7b-c9ba-425f-84e9-d4fe44f6e294#BKMK_CRL_Timeout_Domain"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Managing CRL retrieval</maml:title><maml:introduction>
<maml:para>Obtaining timely certificate revocation data is an important element in secure certificate use. However, problems can arise if validation checking and retrieval of certificate revocation data and cross-certificates time out because more data is being transferred than originally anticipated.</maml:para>
<maml:para>Network retrieval options in public key Group Policy allow administrators to manage network retrieval timeout values.</maml:para>
</maml:introduction></maml:section><maml:section address="BKMK_CRL_Timeout_Local"><maml:title>Increasing the retrieval timeout option for large CRLs for a local computer</maml:title>
<maml:introduction><maml:para><maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To increase the retrieval timeout option for large CRLs for a local computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>gpedit.msc</maml:userInput> in the <maml:ui>Search programs and files</maml:ui> box, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Local Computer Policy\Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Network Retrieval</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Default retrieval timeout settings</maml:ui>, enter a timeout value in the <maml:ui>Default URL retrieval timeout (in seconds)</maml:ui> box, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure></maml:introduction></maml:section><maml:section address="BKMK_CRL_Timeout_Domain"><maml:title>Increasing the retrieval timeout option for large CRLs for a domain</maml:title>
<maml:introduction><maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To increase the retrieval timeout option for large CRLs for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and click <maml:ui>Server Manager</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>. Select the <maml:ui>Group Policy Management</maml:ui> check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the <maml:ui>Installation Results </maml:ui>page shows that the installation of the Group Policy Management Console (GPMC) was successful, click <maml:ui>Close</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> Group Policy object (GPO) that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Network Retrieval</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Default retrieval timeout settings</maml:ui>, enter a timeout value in the <maml:ui>Default URL retrieval timeout (in seconds)</maml:ui> box, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Path Validation</maml:linkText><maml:uri href="mshelp://windows/?id=219dca64-eb32-4f48-8083-8a6c3dbaf237"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Enterprise Certification Authorities</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Enterprise certification authorities (CAs) can issue certificates for purposes such as digital signatures, secure e-mail by using S/MIME (Secure Multipurpose Internet Mail Extensions), authentication to a secure Web server by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), and logging on to a domain by using a smart card. </maml:para>
<maml:para>An enterprise CA has the following characteristics:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Requires access to Active Directory Domain Services (AD DS).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Uses Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Publishes user certificates and certificate revocation lists (CRLs) to AD DS. In order to publish certificates to AD DS, the server that the CA is installed on must be a member of the Certificate Publishers group. This is automatic for the domain the server is in, but the server must be delegated the proper security permissions to publish certificates in other domains. </maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You must be a member of the <maml:phrase>Domain Admins</maml:phrase> group or be an administrator with Write access to AD DS to install an enterprise root CA.</maml:para>
</maml:alertSet>
<maml:para>An enterprise CA issues certificates based on a certificate template. The following functionality is possible when you use certificate templates:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Enterprise CAs enforce credential checks on users during certificate enrollment. Each certificate template has a security permission set in AD DS that determines whether the certificate requester is authorized to receive the type of certificate they have requested.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The certificate subject name can be generated automatically from the information in AD DS or supplied explicitly by the requester.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The policy module adds a predefined list of certificate extensions to the issued certificate. The extensions are defined by the certificate template. This reduces the amount of information a certificate requester has to provide about the certificate and its intended use.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Autoenrollment can be used to issue certificates. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Details Tab</maml:title><maml:introduction>
<maml:para>The <maml:ui>Details</maml:ui> tab provides the following information about the certificate:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Version</maml:ui>. The X.509 version number.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Serial number</maml:ui>. The unique serial number that the issuing certification authority (CA) assigns to the certificate. The serial number is unique for all certificates issued by a given CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Signature algorithm</maml:ui>. The hash algorithm that the CA uses to digitally sign the certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Issuer</maml:ui>. Information regarding the CA that issued the certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Valid from</maml:ui>. The beginning date for the period in which the certificate is valid.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Valid to</maml:ui>. The final date for the period in which the certificate is valid.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Subject</maml:ui>. The name of the individual, computer, device, or CA to whom the certificate is issued. If the issuing CA exists on a domain member server in your enterprise, this will be a distinguished name within the enterprise. Otherwise, this may be a full name and e-mail name or other personal identifier.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Public key</maml:ui>. The public key type and length associated with the certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Thumbprint algorithm</maml:ui>. The hash algorithm that generates a digest of data (or thumbprint) for digital signatures.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Thumbprint</maml:ui>. The digest (or thumbprint) of the certificate data.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Friendly name</maml:ui>. (Optional) A display name to use instead of the name in the Subject field.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Enhanced key usage</maml:ui>. (Optional) The purposes for which this certificate can be used.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>There are additional X.509 v3 extensions that can be used in a certificate. If they are present, they will be displayed.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Validity Periods</maml:linkText><maml:uri href="mshelp://windows/?id=bb23ebf2-6cd7-404c-908b-c30fce0dc8a6"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Hash Algorithms</maml:linkText><maml:uri href="mshelp://windows/?id=3f7ef00a-b1af-4d5e-af78-cd8df001bad8"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Cryptographic Service Providers</maml:linkText><maml:uri href="mshelp://windows/?id=934bccbb-a2f1-44b0-b725-e410ab613f59"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Guidelines for Using Alternate Signature Formats</maml:linkText><maml:uri href="mshelp://windows/?id=0cd73166-999e-4d69-8c99-41a510cc9c6d"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Troubleshoot Certificate-Related Problems</maml:title><maml:introduction>
<maml:para>This section lists a few common issues you may encounter when using the Certificates snap-in or working with certificates.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>What problem are you having?</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I cannot enroll for a new certificate by using the Certificate Request Wizard.</maml:linkText><maml:uri href="mshelp://windows/?id=7f0267d1-a209-42fd-bdcb-3bf006f7d6c1#BKMK_NO_ENRL_WZ"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I get a message indicating that I need to enroll for a new certificate, but the enrollment process fails.</maml:linkText><maml:uri href="mshelp://windows/?id=7f0267d1-a209-42fd-bdcb-3bf006f7d6c1#BKMK_ENRL_MSG"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I cannot enroll for a new certificate over the Web.</maml:linkText><maml:uri href="mshelp://windows/?id=7f0267d1-a209-42fd-bdcb-3bf006f7d6c1#BKMK_NO_ENRL_WB"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>I am no longer able to use my certificate.</maml:linkText><maml:uri href="mshelp://windows/?id=7f0267d1-a209-42fd-bdcb-3bf006f7d6c1#BKMK_BAD_CERT"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section address="BKMK_NO_ENRL_WZ">
<maml:title>I cannot enroll for a new certificate by using the Certificate Request Wizard.</maml:title><maml:introduction>
<maml:para><maml:phrase>Cause:</maml:phrase> The type of certificate you are requesting is not available. </maml:para>
<maml:para><maml:phrase>Solution:</maml:phrase> Contact your administrator.</maml:para>
</maml:introduction></maml:section>
<maml:section address="BKMK_ENRL_MSG">
<maml:title>I get a message indicating that I need to enroll for a new certificate, but the enrollment process fails.</maml:title><maml:introduction>
<maml:para><maml:phrase>Cause:</maml:phrase> In order for clients to receive certificates, they need to be able to contact the certification authority (CA) that will process the request. </maml:para>
<maml:para><maml:phrase>Solution:</maml:phrase> If a CA is intended to be offline, the certificate request must be processed manually by copying it to removable media and physically carrying it to the CA for processing. Otherwise, wait until the CA is once again online and try again.</maml:para>
<maml:para><maml:phrase>Cause:</maml:phrase> If the CA is online but enrollment still fails, autoenrollment permissions might have been configured incorrectly.</maml:para>
<maml:para><maml:phrase>Solution:</maml:phrase> An administrator must modify the access control list on the certificate template to grant Read, Enroll, and Autoenroll permissions for the intended recipients of the certificate. </maml:para>
</maml:introduction></maml:section>
<maml:section address="BKMK_NO_ENRL_WB">
<maml:title>I cannot enroll for a new certificate over the Web.</maml:title><maml:introduction>
<maml:para><maml:phrase>Cause:</maml:phrase> The CA Web Enrollment pages on the server that you are attempting to contact need to be updated to process certificate requests from this version of Windows.</maml:para>
<maml:para><maml:phrase>Solution:</maml:phrase> Contact your administrator.</maml:para>
</maml:introduction></maml:section>
<maml:section address="BKMK_BAD_CERT">
<maml:title>I am no longer able to use my certificate.</maml:title><maml:introduction>
<maml:para><maml:phrase>Cause:</maml:phrase> The certificate has expired or is not valid for the intended purpose.</maml:para>
<maml:para><maml:phrase>Solution:</maml:phrase> View the certificate to determine its expiration date. If it has expired, use the Certificate Renewal Wizard to renew the certificate. If it has not expired, verify that the certificate is valid for your desired purpose. If it is not, request a new certificate for the desired purpose.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Resources for Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=64e30de7-088f-4e77-9a69-d2b940b1777f"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Properties General Tab</maml:title><maml:introduction>
<maml:para>The <maml:ui>General</maml:ui> tab can be used to provide a display name and description that can be used to differentiate between two certificates that are similar, such as two unique signing certificates. </maml:para>
<maml:para>You can also use the <maml:ui>General</maml:ui> tab to enable or disable specific purposes or uses for the certificate.</maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>You can only add purposes that are permitted under the guidelines and restrictions imposed when the certificate was first issued.</maml:para>
</maml:alertSet>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>View Certificate Properties</maml:linkText><maml:uri href="mshelp://windows/?id=67ca7b60-9ba5-401b-876e-fe8ee384b9ec"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Create a Custom Certificate Request</maml:title><maml:introduction>
<maml:para>Administrators usually configure certificate templates in advance so that the templates can be used to request or enroll for certificates. Custom requests can be used to modify a certificate template to meet special requirements, or to create a new certificate not based on a template. They can also be used to save a certificate request to a file for processing at a different time or on a different computer.</maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To create a custom certificate request</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Personal</maml:ui>, and then click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, point to <maml:ui>Advanced Operations</maml:ui>, and then click <maml:ui>Create Custom Request</maml:ui> to start the Certificate Enrollment wizard. Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Custom request </maml:ui>page, in the <maml:ui>Templates</maml:ui> list, do one of the following:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If you know what kind of certificate you want and want to accept the default configuration options, select the appropriate certificate template.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you need a completely customized certificate, select <maml:ui>(No template) CNG key</maml:ui> or <maml:ui>(No template) Legacy key</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>CNG keys might not be compatible with all applications.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Each certificate template includes a standard set of extensions that can indicate additional subject identification information, or it can indicate key usage information, which specifies the tasks (such as signature or encryption) for which a key can be used. If you want to use only the custom extensions that you specify, select the <maml:ui>Suppress default extensions </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the file format you want to use for your certificate request:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>PKCS #10 </maml:ui>is a widely used format for certificate requests. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>CMC</maml:ui> can be used to prepare requests that will be submitted to a non-Microsoft certification authority.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Details</maml:ui> to view details of the certificate request. If you want to customize the request further, click <maml:ui>Properties</maml:ui> and fill in the desired options. When you are finished, click <maml:ui>OK</maml:ui> to close <maml:ui>Certificate Properties</maml:ui>, and then click <maml:ui>Next</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Enter a file name and path, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request Certificates by Using the Certificate Request Wizard</maml:linkText><maml:uri href="mshelp://windows/?id=68354d8a-1cc2-491b-8352-053e133dcd2b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Display Archived Certificates</maml:title><maml:introduction>
<maml:para>Archived certificates are certificates that have expired or have been renewed. In many cases, it is good practice to retain archived certificates instead of deleting them. For example, you might keep an archived certificate to verify digital signatures on old documents that were signed by using the key on the now-expired or renewed certificate. </maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To display archived certificates</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>View</maml:ui> menu, click <maml:ui>Options</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Show the following</maml:ui>, select the <maml:ui>Archived certificates</maml:ui> check box, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click one of the certificate stores. In the details pane, archived certificates are identified with an <maml:ui>A</maml:ui> attribute in the <maml:ui>Status</maml:ui> column.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Cryptographic Service Providers</maml:title><maml:introduction>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:para>A cryptographic service provider (CSP) is the program that performs authentication, encoding, and encryption services that Windows-based applications access through the Microsoft Cryptography application programming interface (CryptoAPI). Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms, while others use hardware components, such as smart cards.</maml:para>
<maml:para>When you generate a request for a new certificate, the information in that request is first sent from the requesting program to CryptoAPI. CryptoAPI provides the proper data to a CSP that is installed on your computer or on a device that is accessible to your computer. If the CSP is software-based, it generates a public key and a private key, often referred to as a key pair, on your computer. If the CSP is hardware-based, such as a smart card CSP, it instructs a piece of hardware to generate the key pair.</maml:para>
<maml:para>After the keys are generated, a software-based CSP encrypts and then secures the private key. A smart card CSP stores the private key on a smart card. The smart card then controls access to the key. </maml:para>
<maml:para>The public key is sent to the certification authority (CA), along with the certificate-requester information. After the CA verifies the certificate request according to its policies, it uses its own private key to create a digital signature in the certificate and then issue it to the requester. The CA presents the certificate to the certificate requester along with the option to install it in the appropriate certificate store on the computer or hardware device.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Request a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=61e3ea01-7b38-4ba8-a201-40ce9ba33f2c"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Guidelines for Using Alternate Signature Formats</maml:linkText><maml:uri href="mshelp://windows/?id=0cd73166-999e-4d69-8c99-41a510cc9c6d"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>View Certificate Information</maml:title><maml:introduction>
<maml:para>Double-click a certificate to view its properties and intended uses. This information is displayed on three tabs: <maml:ui>General</maml:ui>, <maml:ui>Details</maml:ui>, and <maml:ui>Certification Path</maml:ui>.</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>General Tab</maml:linkText><maml:uri href="mshelp://windows/?id=0e5718dd-4e97-4618-8b06-8b6ff5a264d1"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Details Tab</maml:linkText><maml:uri href="mshelp://windows/?id=74f6e625-e656-41ff-af86-96eb2950c4c7"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certification Path Tab</maml:linkText><maml:uri href="mshelp://windows/?id=47f4da34-b4e8-45b3-80be-89521b08ec7c"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Using Certificates</maml:title><maml:introduction>
<maml:para>Certificates can be used for:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Authentication, which verifies the identity of someone or something.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Privacy, which ensures that information is only available to the intended audience.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Encryption, which disguises information so that unauthorized readers are unable to decipher it.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Digital signatures, which provide nonrepudiation and message integrity. </maml:para>
</maml:listItem>
</maml:list>
<maml:para>These services can be important to the security of your communications. In addition, many applications use certificates, such as e-mail applications and Web browsers.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Authentication</maml:title><maml:introduction>
<maml:para>Authentication is crucial in making communication more secure. Users must be able to prove their identity to those with whom they communicate and must be able to verify the identity of others. Authentication of identity on a network is complex because the communicating parties do not physically meet as they communicate. This can allow an unethical person to intercept messages or to impersonate another person or entity.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Privacy</maml:title><maml:introduction>
<maml:para>Whenever sensitive information is transmitted between computing devices on any type of network, users should generally use some sort of encryption to keep their data private.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Encryption</maml:title><maml:introduction>
<maml:para>Encryption can be thought of as locking something valuable into a strong box with a key. Conversely, decryption can be compared to opening the box and retrieving the valuable item. On computers, sensitive data in the form of e-mail messages, files on a disk, and files being transmitted across the network can be encrypted using a key. Encrypted data and the key used to encrypt data are both unintelligible.</maml:para>
<maml:para>For more information about encryption and certificates, see <maml:navigationLink><maml:linkText>Resources for Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=64e30de7-088f-4e77-9a69-d2b940b1777f"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Digital signatures</maml:title><maml:introduction>
<maml:para>A digital signature is a way to ensure the integrity and origin of data. A digital signature provides strong evidence that the data has not been altered since it was signed and it confirms the identity of the person or entity who signed the data. This enables the important security features of integrity and nonrepudiation, which are essential for secure electronic commerce transactions. </maml:para>
<maml:para>Digital signatures are typically used when data is distributed in plaintext, or unencrypted form. In these cases, while the sensitivity of the message itself might not warrant encryption, there could be a compelling reason to ensure that the data is in its original form and has not been sent by an impostor because, in a distributed computing environment, plaintext can conceivably be read or altered by anyone on the network with the proper access, whether authorized or not.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificates Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ba6554ca-f33f-4dd3-beff-bd602018dcc5"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Enrollment Web Service Overview</maml:title><maml:introduction><maml:para>The Certificate Enrollment Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to perform certificate enrollment by using the HTTPS protocol. Together with the Certificate Enrollment Policy Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.</maml:para>
<maml:para>The Certificate Enrollment Web Service uses the HTTPS protocol to accept certificate requests from and return issued certificates to network client computers. The Certificate Enrollment Web Service uses the DCOM protocol to connect to the certification authority (CA) and complete certificate enrollment on behalf of the requester. In previous versions of AD CS, policy-based certificate enrollment can be completed only by domain member client computers that are using the DCOM protocol. This limits certificate issuance to the trust boundaries established by Active Directory domains and forests.</maml:para>
<maml:para>Certificate enrollment over HTTPS enables the following new deployment scenarios:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Certificate enrollment across forest boundaries to reduce the number of CAs in an enterprise.</maml:para></maml:listItem>
<maml:listItem><maml:para>Extranet deployment to issue certificates to mobile workers and business partners.</maml:para></maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>EFS Certificates</maml:title><maml:introduction><maml:para>Encrypting File System (EFS) encryption is based on the key pairs associated with certificates. In most managed environments, certificates are issued by a certification authority (CA) running in the domain. Users can automatically be issued a certificate by the CA without manual intervention. The EFS certificates settings include a list of certificate templates available in the domain so that you can specify which certificate template to use for autoenrollment.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>The list includes all certificate templates present in the domain. An administrator must correctly configure the CA so that the certificates can be issued. Some displayed certificates might not be accessible.</maml:para></maml:alertSet><maml:para>In cases where a certificate cannot be issued by a CA, EFS can use a self-signed certificate created on the local computer. You can choose to disable this functionality or specify a default key length.</maml:para></maml:introduction><maml:content><maml:sections><maml:section><maml:title>EFS templates</maml:title><maml:introduction><maml:para>This identifies the name of the certificate template used to request an EFS certificate from a CA. The Basic EFS template is used by default. If you have created custom EFS templates for use in your organization, click <maml:ui>Browse</maml:ui> to locate and assign the template for use.</maml:para></maml:introduction><maml:sections><maml:section><maml:title>Self-signed certificates</maml:title><maml:introduction><maml:para>The default setting allows EFS to generate self-signed certificates when a CA is not available. Some organizations do not allow self-signed certificates to be used because of concerns about information security risks. Disabling this setting will require that a user have been granted a certificate from a trusted CA before being able to use EFS.</maml:para><maml:para>If you allow the use of self-signed certificates, you can specify the encryption key length used when encrypting files and folders. By default, EFS uses the 2,048-bit key size for self-signed RSA certificates and the 256-bit key for elliptical curve cryptography (ECC) certificates (such as those required for Suite B compliance). The following RSA and ECC keys are available:</maml:para><maml:list class="unordered"><maml:listItem><maml:para>1,024-bit RSA</maml:para></maml:listItem><maml:listItem><maml:para>2,048-bit RSA</maml:para></maml:listItem><maml:listItem><maml:para>4,096-bit RSA</maml:para></maml:listItem><maml:listItem><maml:para>8,192-bit RSA</maml:para></maml:listItem><maml:listItem><maml:para>16,384-bit RSA</maml:para></maml:listItem><maml:listItem><maml:para>256-bit ECC</maml:para></maml:listItem><maml:listItem><maml:para>384-bit ECC</maml:para></maml:listItem><maml:listItem><maml:para>521-bit ECC</maml:para></maml:listItem></maml:list><maml:para>Long key sizes increase security but might cause encryption to be slower.</maml:para></maml:introduction></maml:section></maml:sections></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Export a Certificate</maml:title><maml:introduction>
<maml:para>You can export a certificate in order to import a copy on a different computer or device or to store a copy in a secure location.</maml:para>
<maml:para>If you are exporting certificates for import onto a computer running Windows, PKCS #7 format is the preferred export format. This format preserves the chain of certification authorities (CAs), or the certification path, of any certificate that includes countersignatures associated with signatures.</maml:para>
<maml:para>If you are exporting certificates for import onto a computer running another operating system, it is possible that the PKCS #7 format is supported. If it is not supported, the DER-encoded binary format or the Base64-encoded format is provided for interoperability.</maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To export a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under the logical store that contains the certificate to export, click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the certificate that you want to export.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Export</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the Certificate Export Wizard, click <maml:ui>No, do not export the private key</maml:ui>. (This option will appear only if the private key is marked as exportable and you have access to the private key.)</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Provide the following information in the Certificate Export Wizard: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If required, in <maml:ui>Password</maml:ui>, type a password to encrypt the private key you are exporting. In <maml:ui>Confirm password</maml:ui>, type the same password again, and then click <maml:ui>Next</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>File name</maml:ui>, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click <maml:ui>Next</maml:ui>, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>After the Certificate Export Wizard is finished, the certificate will remain in the certificate store in addition to being in the new file. If you want to remove the certificate from the certificate store, you must delete it.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>View the Certificates in a PKCS #7 file</maml:title><maml:introduction>
<maml:para>If multiple certificates are exported and saved as PKCS #7 files, or if some time has passed since the file was created, it may not be obvious what certificates a PKCS #7 file contains. The following procedure allows you to inspect the certificates contained in a PKCS #7 file.</maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To view the certificates in a PKCS #7 file</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open Windows Explorer. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Locate the PKCS #7 file that contains the certificates you want to view. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, double-click the PKCS #7 file. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click the folder containing the PKCS #7 file, and then click <maml:ui>Certificates</maml:ui>. The certificates contained in the PKCS #7 file are displayed in the details pane.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>A PKCS #7 file typically has a .p7b file name extension, but this is not always the case. As with any other data file, the creator of the file has control over the name and whether or not the .p7b extension is used.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Enrollment Policy Web Service Overview</maml:title><maml:introduction><maml:para>The Certificate Enrollment Policy Web Service is an Active Directory Certificate Services (AD CS) role service that enables users and computers to obtain certificate enrollment policy information. Together with the Certificate Enrollment Web Service, this enables policy-based certificate enrollment when the client computer is not a member of a domain or when a domain member is not connected to the domain.</maml:para>
<maml:para>The Certificate Enrollment Policy Web Service uses the HTTPS protocol to communicate certificate policy information to network client computers. The Web service uses the LDAP protocol to retrieve certificate policy from Active Directory Domain Services (AD DS) and caches the policy information to service client requests. In previous versions of AD CS, certificate policy information can be accessed only by domain client computers that are using the LDAP protocol. This limits policy-based certificate issuance to the trust boundaries established by AD DS forests.</maml:para>
<maml:para>Publishing enrollment policy over HTTPS enables the following new deployment scenarios:</maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Certificate enrollment across forest boundaries to reduce the number of certification authorities (CAs) in an enterprise.</maml:para></maml:listItem>
<maml:listItem><maml:para>Extranet deployment to issue certificates to mobile workers and business partners.</maml:para></maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=964edfbd-d935-4352-b054-5e3dfe6c547e"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>View Certificates</maml:title><maml:introduction>
<maml:para>Certificates can be issued and used for many purposes. It can be useful to examine certificate stores, certificate information and properties, and information about archived and revoked certificates. </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Display Certificate Stores</maml:linkText><maml:uri href="mshelp://windows/?id=2e9e43a1-5201-41c3-9cdc-4da37713d37a"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>View Certificate Information</maml:linkText><maml:uri href="mshelp://windows/?id=93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>View Certificate Properties</maml:linkText><maml:uri href="mshelp://windows/?id=67ca7b60-9ba5-401b-876e-fe8ee384b9ec"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>View the Certificates in a PKCS #7 file</maml:linkText><maml:uri href="mshelp://windows/?id=b776e5d1-307b-42f2-b2d1-c6dce2a49c9b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Display Archived Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=92ad94a0-3eeb-4916-8fbe-05b803affa3e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>View Certificate Revocation List Details</maml:linkText><maml:uri href="mshelp://windows/?id=645cc20c-215c-4a8e-b624-40c8cbb3e1b5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificates Overview</maml:title><maml:introduction>
<maml:para>A public key certificate, usually just called a certificate, is a digitally signed statement that binds the value of a public key to the identity of the person, device, or service that holds the corresponding private key. One of the main benefits of certificates is that hosts no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certificate issuer.</maml:para>
<maml:para>Most certificates in common use are based on the X.509 v3 certificate standard. </maml:para>
<maml:para>Typically, certificates contain the following information:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>The subject's public key value.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The subject's identifier information, such as the name and e-mail address.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The validity period (the length of time that the certificate is considered valid).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Issuer identifier information.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The digital signature of the issuer, which attests to the validity of the binding between the subject's public key and the subject's identifier information.</maml:para>
</maml:listItem>
</maml:list>
<maml:para>A certificate is valid only for the period of time specified within it; every certificate contains <maml:ui>Valid From</maml:ui> and <maml:ui>Valid To</maml:ui> dates, which set the boundaries of the validity period. Once a certificate's validity period has passed, a new certificate must be requested by the subject of the now-expired certificate. </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Using Certificates</maml:linkText><maml:uri href="mshelp://windows/?id=953d9851-ad11-46ac-82ad-769405c4a6ef"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Public and Private Keys</maml:linkText><maml:uri href="mshelp://windows/?id=e944f472-806b-4e58-b162-d18acff72884"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate File Formats</maml:linkText><maml:uri href="mshelp://windows/?id=1fd54ffb-ab16-4d6e-aeb0-a973532c8e43"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Types of Certification Authorities</maml:title><maml:introduction>
<maml:para>A certification authority (CA) accepts a certificate request, verifies the requester's information according to the policy of the CA, and then uses its private key to apply its digital signature to the certificate. The CA then issues the certificate to the subject of the certificate for use as a security credential within a public key infrastructure (PKI). A CA is also responsible for revoking certificates and publishing a certificate revocation list (CRL).</maml:para>
<maml:para>A CA can be an outside entity, such as VeriSign, or it can be a CA that you create for use by your organization by installing Active Directory Certificate Services (AD CS). Each CA can have distinct proof-of-identity requirements for certificate requesters, such as a domain account, employee badge, driver's license, notarized request, or physical address. Identification checks such as this often warrant an onsite CA, so that organizations can validate their own employees or members.</maml:para>
<maml:para>Microsoft enterprise CAs use a person's user account credentials as proof of identity. In other words, if you are logged on to a domain and request a certificate from an enterprise CA, the CA can authenticate your identity based on your account in Active Directory Domain Services (AD DS).</maml:para>
<maml:para>Every CA also has a certificate to confirm its own identity, issued by another trusted CA or, in the case of root CAs, issued by itself. It is important to remember that anyone can create a CA. Therefore, a user or administrator must decide whether to trust that CA and, by extension, the policies and procedures that the CA has in place for confirming the identity of the entities that are issued certificates by that CA.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Root and subordinate CAs</maml:title><maml:introduction>
<maml:para>A root CA is meant to be the most trusted type of CA in an organization's PKI. If the root CA is compromised or issues a certificate to an unauthorized entity, then any certificate-based security in your organization becomes vulnerable. Therefore, both the physical security and the certificate issuance policy of a root CA are normally more rigorous than those for subordinate CAs. While root CAs can be used to issue certificates to end users for such tasks as sending secure e-mail, in most organizations they will only be used to issue certificates to other CAs, called subordinate CAs.</maml:para>
<maml:para>A subordinate CA is a CA that has been issued a certificate by another CA in your organization. Typically, a subordinate CA will issue certificates for specific uses, such as secure e-mail, Web-based authentication, or smart card authentication. Subordinate CAs can also issue certificates to other CAs that are more subordinate. Together, a root CA, the subordinate CAs that have been certified by the root, and subordinate CAs that have been certified by other subordinate CAs form a certification hierarchy.</maml:para>
<maml:para>For more information about certification hierarchies, see <maml:navigationLink><maml:linkText>Public Key Infrastructures</maml:linkText><maml:uri href="mshelp://windows/?id=26af007f-65e7-4f2b-a154-2bdcc7af2657"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Enterprise and stand-alone CAs</maml:title><maml:introduction>
<maml:para>This version of AD CS supports the installation of stand-alone CAs and enterprise CAs. For information about the operational characteristics of enterprise CAs and stand-alone CAs, see <maml:navigationLink><maml:linkText>Enterprise Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=70e5d64c-91ce-4355-a9c9-115fe0866911"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Stand-Alone Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=f4d0ff2c-e17f-4cf6-997b-413d844d71d0"></maml:uri></maml:navigationLink>. </maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Active Directory Certificate Services Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Validity Periods</maml:title><maml:introduction>
<maml:para>The Certificates snap-in enables you to renew a certificate issued from a Windows-based enterprise certification authority (CA) before or after the end of its validity period by using the Certificate Renewal Wizard.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>About certificate validity</maml:title><maml:introduction>
<maml:para>Every certificate has a validity period. After the end of the validity period, the certificate is no longer considered an acceptable or usable credential. </maml:para>
<maml:para>You can renew the certificate either with the same key set that you used before or with a new key set.</maml:para>
<maml:para>Before you renew a certificate, you must know the issuing CA. Optionally, if you want a new public key and private key pair for the certificate, you must know the cryptographic service provider (CSP) that should be used to generate the key pair.</maml:para>
<maml:para>For more information, see <maml:navigationLink><maml:linkText>Renew a Certificate with a New Key</maml:linkText><maml:uri href="mshelp://windows/?id=23855705-69c5-4d71-90f5-8f6718df840c"></maml:uri></maml:navigationLink> and <maml:navigationLink><maml:linkText>Renew a Certificate with the Same Key</maml:linkText><maml:uri href="mshelp://windows/?id=3eefd65f-6591-4062-8759-4fd208e9b9d1"></maml:uri></maml:navigationLink>.</maml:para>
<maml:para>In addition, you can renew certificates issued from both enterprise CAs and stand-alone CAs with the CA Web enrollment pages by pasting the contents of a PKCS #7 file. For more information, see <maml:navigationLink><maml:linkText>Request a Certificate by Using a PKCS #10 or PKCS #7 File</maml:linkText><maml:uri href="mshelp://windows/?id=13391cab-ada5-43f8-9f5d-b61e0abdc66d"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Key Caching in Encrypting File System</maml:title><maml:introduction>
<maml:para>To optimize performance, Encrypting File System (EFS) will cache keys used in the encryption or decryption process. You can control when these cached items are removed from memory.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Key caching</maml:title><maml:introduction>
<maml:para>Windows optimizes the caching of user keys on a server that is being used for remote server encryption. By default, the server will cache up to 15 user key handles in memory to increase encryption performance on the server. However, the default can be changed by an administrator by editing the following registry value: </maml:para>
<maml:para><maml:phrase>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\UserCacheSize DWORD </maml:phrase></maml:para>
<maml:para>The acceptable values are between 5 and 30 for this registry value. </maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Private keys are not stored in cached memory; they are only stored as a handle to the CryptoAPI key container. </maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section>
<maml:title>Changing key caching properties</maml:title><maml:introduction>
<maml:para>You can change the performance of key caching by selecting options on the <maml:ui>Cache </maml:ui>tab of the <maml:ui>Encrypting File System Properties</maml:ui> page in Group Policy or the local computer policy. </maml:para>
<maml:para>For example, you can configure an automatic timeout value, and specify that the cache should be cleared when the user locks the workstation. The cache is also cleared when the user logs off or the computer is restarted.</maml:para>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>View Certificate Trust List Details</maml:title><maml:introduction>
<maml:para>A certificate trust list (CTL) enables you to limit the purpose and the validity period for which a certificate is trusted, even when it may have been issued for multiple purposes.</maml:para>
<maml:para>Typically, a CA can issue certificates for a wide variety of purposes, such as secure e-mail or client authentication. There might be situations in which you want to limit the trust of certificates that are issued by a particular CA, especially if the CA is outside your organization. In these situations, creating a CTL and distributing it by using Group Policy can be useful. </maml:para>
<maml:para>The <maml:ui>Trust List</maml:ui> tab lists the certificates contained within the CTL and significant values associated with each certificate.</maml:para>
<maml:para>The <maml:ui>General </maml:ui>tab contains information about the CTL itself, including the version number, effective date, algorithms, and subject usage. </maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Autoenroll for a Certificate from the Certificates Snap-in</maml:title><maml:introduction>
<maml:para>Many organizations will use Group Policy to automatically enroll users, computers, or services for certificates. With automatic enrollment, a user might see a reminder with a prompt to complete the enrollment. However, there might also be times when a user or administrator wants to verify that all pending automatic enrollment requests are processed. The following procedure describes how to complete this task.</maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To autoenroll for a certificate by using the Certificates snap-in</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate snap-in for a user or computer.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificates - Current User </maml:ui>or<maml:ui> Certificates (Local Computer)</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, point to <maml:ui>All Tasks</maml:ui>, and then click <maml:ui>Automatically Enroll Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Next</maml:ui>. Select the certificates that you want to obtain, and then click <maml:ui>Enroll</maml:ui>. When the enrollment process is complete, click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Obtain a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=4ecbce82-4636-44a0-93ca-b664a186d22e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>View Security Catalog Details</maml:title><maml:introduction>
<maml:para>A security catalog is a signed container that holds hashes of other files and additional details of the catalog file including the catalog file version, digital signature, and effective date.</maml:para>
<maml:para>The <maml:ui>Security Catalog</maml:ui> tab lists the files contained within the catalog and significant values associated with each file.</maml:para>
<maml:para>The <maml:ui>General </maml:ui>tab contains information about the security catalog itself, including the version number, effective date, algorithms, and subject usage. </maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Learn More About Certificate Stores</maml:title><maml:introduction>
<maml:para>Windows stores a certificate locally on the computer or device that requested it or, in the case of a user, on the computer or device that the user used to request it. The storage location is called the certificate store. A certificate store often has numerous certificates, possibly issued from a number of different certification authorities.</maml:para>
<maml:para>You can view certificates based on their purpose (such as <maml:ui>Client Authentication</maml:ui> and <maml:ui>Code Signing</maml:ui>) or based on logical roles (such as <maml:ui>Personal</maml:ui>, <maml:ui>Trusted</maml:ui> <maml:ui>Publishers</maml:ui>, and <maml:ui>Trusted Root Certification Authorities</maml:ui>). </maml:para>
<maml:para>In addition, you can also use certificate store options to view archived certificates and the certificate stores storage structure.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Display Certificates by Logical Certificate Stores</maml:linkText><maml:uri href="mshelp://windows/?id=25789028-bfc8-48f5-9432-82e74ea48d59"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Display Certificates by Certificate Purpose</maml:linkText><maml:uri href="mshelp://windows/?id=6b8b6b13-b4be-4a40-a696-352b40953286"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Certificate Enrollment Policy by Using Group Policy</maml:title><maml:introduction>
<maml:para>This topic describes the procedures and applications used to configure the certificate enrollment policy settings.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Configuring certificate enrollment policy settings by using Group Policy</maml:title><maml:introduction><maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure certificate enrollment policy settings in Group Policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>gpmc.msc</maml:userInput> in the <maml:ui>Search programs and files</maml:ui> box, and press ENTER.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree, expand the forest and domain that contain the policy that you want to edit, and click <maml:ui>Group Policy Objects</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Right-click the policy that you want to edit, and then click <maml:ui>Edit</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the console tree under <maml:ui>Computer Configuration\Policies\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Double-click <maml:ui>Certificate Services Client – Certificate Enrollment Policy</maml:ui>. For more information about the settings in this dialog box, see the "Certificate Services Client – Certificate Enrollment Policy Properties dialog box" table later in this topic.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add</maml:ui> to open the <maml:ui>Certificate Enrollment Policy Server</maml:ui> dialog box. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server dialog box" table later in this topic.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Do one of the following:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para>To add the enrollment policy provided by Active Directory Domain Services (AD DS), select the <maml:ui>Use default Active Directory domain controller URI</maml:ui> check box.</maml:para></maml:listItem>
<maml:listItem><maml:para>In the <maml:ui>Enter enrollment policy server URI</maml:ui> box, type a certificate enrollment policy server URI.</maml:para></maml:listItem></maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>In the <maml:ui>Authentication type</maml:ui> list, select the authentication type required by the enrollment policy server.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Validate</maml:ui>, and review the messages in the <maml:ui>Certificate enrollment policy server properties</maml:ui> area. The <maml:ui>Add</maml:ui> button is available only when the enrollment policy server URI and authentication type are valid.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Add</maml:ui>.</maml:para></maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>If the added enrollment policy server supports an enrollment policy that is already displayed in <maml:ui>Certificate enrollment policy list</maml:ui>, then the added server will not be displayed separately. Click <maml:ui>Properties</maml:ui> to verify that the added enrollment policy server is displayed in the <maml:ui>Enrollment policy servers</maml:ui> list. For more information about the settings in this dialog box, see the "Certificate Enrollment Policy Server Properties dialog box" table later in this topic.</maml:para></maml:alertSet>
</maml:introduction>
</maml:section><maml:section><maml:title>User interface reference</maml:title><maml:introduction>
<maml:para>The following tables describe the settings available in the <maml:ui>Certificate Services Client – Certificate Enrollment Policy Properties</maml:ui> dialog box, the <maml:ui>Certificate Enrollment Policy Server</maml:ui> dialog box, and the <maml:ui>Certificate Enrollment Policy Server Properties</maml:ui> dialog box.<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:table><maml:title>Certificate Services Client – Certificate Enrollment Policy Properties dialog box</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para><maml:ui>Configuration Model</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies whether the policy setting is enabled in Group Policy.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Certificate enrollment policy list</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Displays the list of enrollment policies that are included in the policy setting. One of the displayed policies must be specified as the default policy by selecting the <maml:ui>Default</maml:ui> check box.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Add</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Opens the <maml:ui>Certificate Enrollment Policy Server</maml:ui> dialog box, which is used to add an enrollment policy server.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Remove</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Removes the selected enrollment policy and all associated enrollment policy servers from the list.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Properties</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Opens the <maml:ui>Certificate Enrollment Policy Server Properties</maml:ui> dialog box, which displays the policy details and list of enrollment policy servers for the selected enrollment policy.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Disable user configured enrollment policy</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Disables the enrollment policy configured by users and applications. Only an enrollment policy configured in Group Policy is used.</maml:para></maml:entry></maml:row>
</maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:table><maml:title>Certificate Enrollment Policy Server dialog box</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para><maml:ui>Use default Active Directory domain controller URI</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies the default enrollment policy server LDAP URI and the <maml:ui>Windows integrated</maml:ui> authentication type.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Configure Friendly Name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>This button is available only when <maml:ui>Use default Active Directory domain controller URI</maml:ui> is selected.</maml:para><maml:para>Used to configure a name for the enrollment policy that is displayed instead of the default policy name or enrollment policy identifier. The specified name is seen by users in the Certificate Enrollment wizard and other applications.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>If more than one enrollment policy server supports the same enrollment policy, then each server should be configured to use the same enrollment policy friendly name. In enrollment policy Web services, the friendly name value is an application setting that is configured by using Server Manager. If the friendly name setting is already configured in each enrollment policy Web service, then add the enrollment policy Web service URIs before adding the domain controller LDAP URI. This will ensure that the friendly name values are the same.</maml:para></maml:alertSet></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Enter enrollment policy server URI</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies the URI of the Certificate Enrollment Policy Web Service. The URI must use HTTPS.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Authentication type</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies the type of authentication that is used to connect to the specified URI. The specified authentication type must match the authentication type that is required by the Certificate Enrollment Policy Web Service.</maml:para><maml:para>The following authentication types are available:</maml:para><maml:list class="unordered"><maml:listItem><maml:para><maml:ui>Anonymous</maml:ui>. No credentials are provided when connecting to the certificate enrollment policy server.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Windows integrated</maml:ui>. Windows integrated authentication uses the Kerberos protocol and is appropriate for AD DS domain members.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Username/password</maml:ui>. During certificate enrollment, users will be prompted to enter a user name and password.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>X.509 Certificate</maml:ui>. During certificate enrollment, users will be prompted to select a certificate for authentication.</maml:para></maml:listItem></maml:list></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Validate</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Connects to the specified URI by using the specified authentication type to verify the following details:</maml:para><maml:list class="unordered"><maml:listItem><maml:para>An SSL connection to the enrollment policy server exists.</maml:para></maml:listItem><maml:listItem><maml:para>A valid enrollment policy is returned by the enrollment policy server.</maml:para></maml:listItem><maml:listItem><maml:para>The enrollment policy is not already included in the Group Policy setting.</maml:para></maml:listItem></maml:list><maml:para>Validation is required for an enrollment policy server URI before it can be added. If the specified URI and authentication type are valid, the enrollment policy identifier and friendly name are displayed. Warning or error messages are displayed if there is a problem with validation.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Add</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Adds the enrollment policy server URI and validated enrollment policy to the Group Policy setting. The <maml:ui>Add</maml:ui> button is available only after the enrollment policy server URI and authentication type are validated.</maml:para></maml:entry></maml:row></maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:table><maml:title>Certificate Enrollment Policy Server Properties dialog box</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para><maml:ui>Enrollment policy servers list</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Displays the list of enrollment policy servers that support the enrollment policy.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Remove</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Removes the selected enrollment policy server. If all enrollment policy servers are removed, the enrollment policy will also be removed.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Enable for automatic enrollment and renewal</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies that the enrollment policy is used for autoenrollment when autoenrollment is enabled.</maml:para><maml:para>On computers running Windows 7 that are not members of a domain, autoenrollment is enabled by default. On computers that are members of a domain, autoenrollment must be enabled in Group Policy. See Managing Certificate Enrollment (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143282</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143282"></maml:uri></maml:navigationLink>) for autoenrollment configuration procedures.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Require strong validation during enrollment</maml:ui></maml:para></maml:entry><maml:entry><maml:para>Specifies that enrollment clients require validation of the issuing CA's certification path during enrollment.</maml:para></maml:entry></maml:row></maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Servers</maml:linkText><maml:uri href="mshelp://windows/?id=64541c74-8112-4496-9721-1ddabcae5f4b"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Manage Certificate Enrollment Policy by Using the Certificates Snap-in</maml:linkText><maml:uri href="mshelp://windows/?id=18bc3367-d4b1-4309-b9ed-db68dcb817bb"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para>Managing Certificate Enrollment (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=143282</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=143282"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem></maml:list>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>CA Certificates</maml:title><maml:introduction>
<maml:para>Certification authority (CA) certificates are certificates that are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs. </maml:para>
<maml:para>A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy. </maml:para>
<maml:para>Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf. </maml:para>
<maml:para>CA certificates can also be used to establish trust relationships between CAs in two different public key infrastructure (PKI) hierarchies.</maml:para>
<maml:para>In all of these cases, the CA certificate is critical to defining the certificate path and usage restrictions for all end-entity certificates issued for use in the PKI.</maml:para>
<maml:para>The appropriate configuration of CA certificates for the organization's needs is one of the most powerful tools that an organization has to implement appropriate PKI security. CA certificates contain special configuration data that regulate the CAs to which they are issued. These configuration options can:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Define the organizational namespace in which certificates issued by the subordinate CA can be issued and trusted.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Specify the acceptable uses of certificates issued by the subordinate CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Define the issuance guidelines that must be followed in order for a certificate issued by the subordinate CA to be considered valid.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Create a managed trust between separate certification hierarchies.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Trusted Root Certificates</maml:title><maml:introduction>
<maml:para>Because of the growing variety of certificates in use today and the growing number of certificate issues, some organizations may want to manage certificate trust and prevent users in the domain from configuring their own set of trusted root certificates. In addition, some organizations may want to identify and distribute specific trusted root certificates to enable business scenarios where additional trust relationships are needed.</maml:para>
<maml:para>This topic includes procedures for the following tasks:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Managing trusted root certificates for a local computer</maml:linkText><maml:uri href="mshelp://windows/?id=d84b0b2f-1338-4c36-b363-747a4c09f47e#BKMK_managelocal"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Managing trusted root certificates for a domain</maml:linkText><maml:uri href="mshelp://windows/?id=d84b0b2f-1338-4c36-b363-747a4c09f47e#BKMK_managedomain"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Adding certificates to the Trusted Root Certification Authorities store for a local computer</maml:linkText><maml:uri href="mshelp://windows/?id=d84b0b2f-1338-4c36-b363-747a4c09f47e#BKMK_addlocal"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Adding certificates to the Trusted Root Certification Authorities store for a domain</maml:linkText><maml:uri href="mshelp://windows/?id=d84b0b2f-1338-4c36-b363-747a4c09f47e#BKMK_adddomain"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections><maml:section address="BKMK_managelocal"><maml:title>Managing trusted root certificates for a local computer</maml:title>
<maml:introduction><maml:para><maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To manage trusted root certificates for a local computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Start Search</maml:ui>, type <maml:userInput>mmc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Available snap-ins</maml:ui>, click <maml:ui>Local Group Policy Object Editor</maml:ui>,<maml:ui> </maml:ui>click <maml:ui>Add</maml:ui>, select the computer whose local Group Policy object (GPO) you want to edit, and then click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you have no more snap-ins to add to the console, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, go to <maml:ui>Local Computer Policy</maml:ui>, <maml:ui>Computer Configuration</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and then click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>,<maml:ui> </maml:ui>and then<maml:ui> </maml:ui>click the <maml:ui>Stores</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Per user certificate stores</maml:ui>, clear the <maml:ui>Allow user trusted root CAs to be used to validate certificates </maml:ui>and<maml:ui> Allow users to trust peer trust certificates</maml:ui> check boxes.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Root certificate stores</maml:ui>, select the root CAs that the client computers can trust, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section address="BKMK_managedomain"><maml:title>Managing trusted root certificates for a domain</maml:title>
<maml:introduction><maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To manage trusted root certificates for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open <maml:ui>Server Manager</maml:ui>, and under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>. Select the <maml:ui>Group Policy Management</maml:ui> check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the <maml:ui>Installation Results </maml:ui>page shows that the installation of the Group Policy Management Console (GPMC) was successful, click <maml:ui>Close</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> GPO that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the GPMC, go to <maml:ui>Computer Configuration</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and then click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Stores</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under<maml:ui> Per user certificate stores</maml:ui>, clear the <maml:ui>Allow user trusted root CAs to be used to validate certificates </maml:ui>and <maml:ui>Allow users to trust peer trust certificates</maml:ui> option in the <maml:ui>Per User Certificate Stores</maml:ui> check boxes.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under<maml:ui> Root certificate stores</maml:ui>, select the root CAs that the client computers can trust, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction></maml:section><maml:section address="BKMK_addlocal"><maml:title>Adding certificates to the Trusted Root Certification Authorities store for a local computer</maml:title>
<maml:introduction><maml:para><maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To add certificates to the Trusted Root Certification Authorities store for a local computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Start Search</maml:ui>, type <maml:userInput>mmc</maml:userInput>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Available snap-ins</maml:ui>, click <maml:ui>Certificates</maml:ui>,<maml:ui> </maml:ui>and then click <maml:ui>Add</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>This snap-in will always manage certificates for</maml:ui>, click <maml:ui>Computer account</maml:ui>, and then click<maml:ui> Next.</maml:ui></maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Local computer</maml:ui>, and click <maml:ui>Finish</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you have no more snap-ins to add to the console, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Trusted Root Certification Authorities</maml:ui> store.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Import</maml:ui> to import the certificates and follow the steps in the Certificate Import Wizard.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure></maml:introduction></maml:section><maml:section address="BKMK_adddomain"><maml:title>Adding certificates to the Trusted Root Certification Authorities store for a domain</maml:title>
<maml:introduction><maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure. </maml:para>
<maml:procedure><maml:title>To add certificates to the Trusted Root Certification Authorities store for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open <maml:ui>Server Manager</maml:ui>, and under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>. Select the <maml:ui>Group Policy Management</maml:ui> check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the <maml:ui>Installation Results </maml:ui>page shows that the installation of the GPMC was successful, click <maml:ui>Close</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> GPO that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the GPMC, go to <maml:ui>Computer Configuration</maml:ui>, <maml:ui>Windows Settings</maml:ui>, <maml:ui>Security Settings</maml:ui>, and then click <maml:ui>Public Key Policies</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Trusted Root Certification Authorities</maml:ui> store.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Import</maml:ui> and follow the steps in the Certificate Import Wizard to import the certificates.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Path Validation</maml:linkText><maml:uri href="mshelp://windows/?id=219dca64-eb32-4f48-8083-8a6c3dbaf237"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Manage Trusted Publishers</maml:title><maml:introduction>
<maml:para>Software signing is being used by a growing number of software publishers and application developers to verify that their applications come from a trusted source. However, many users do not understand or pay little attention to the signing certificates associated with applications that they install.</maml:para>
<maml:para>The policy settings in the <maml:ui>Trusted Publishers</maml:ui> tab of the certificate path validation policy allows administrators to control which certificates can be accepted as coming from a trusted publisher.</maml:para>
<maml:para>This topic includes procedures for the following tasks:</maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring the trusted publishers policy settings for a local computer</maml:linkText><maml:uri href="mshelp://windows/?id=dc434757-4be7-4017-b40b-eaaf39269c3f#BKMK_Trusted_Local"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring the trusted publishers policy settings for a domain</maml:linkText><maml:uri href="mshelp://windows/?id=dc434757-4be7-4017-b40b-eaaf39269c3f#BKMK_Trusted_Domain"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Allowing only administrators to manage certificates used for code signing for a local computer</maml:linkText><maml:uri href="mshelp://windows/?id=dc434757-4be7-4017-b40b-eaaf39269c3f#BKMK_Code_Local"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Allowing only administrators to manage certificates used for code signing for a domain</maml:linkText><maml:uri href="mshelp://windows/?id=dc434757-4be7-4017-b40b-eaaf39269c3f#BKMK_Code_Domain"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list>
</maml:introduction><maml:content><maml:sections><maml:section address="BKMK_Trusted_Local"><maml:title>Configuring the trusted publishers policy settings for a local computer</maml:title>
<maml:introduction>
<maml:para><maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure the trusted publishers policy settings for a local computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>gpedit.msc</maml:userInput> in the <maml:ui>Search programs and files</maml:ui> box, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Local Computer Policy\Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Trusted Publishers</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings</maml:ui> check box, select the policy settings that you want to apply, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure></maml:introduction></maml:section><maml:section address="BKMK_Trusted_Domain"><maml:title>Configuring the trusted publishers policy settings for a domain</maml:title>
<maml:introduction>
<maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To configure the trusted publishers policy settings for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and click <maml:ui>Server Manager</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>. Select the <maml:ui>Group Policy Management </maml:ui>check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the <maml:ui>Installation Results </maml:ui>page shows that the installation of the Group Policy Management Console (GPMC) was successful, click <maml:ui>Close</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> Group Policy object (GPO) that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Trusted Publishers</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings </maml:ui>check box, select the policy settings that you want to apply, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure></maml:introduction></maml:section><maml:section address="BKMK_Code_Local"><maml:title>Allowing only administrators to manage certificates used for code signing for a local computer</maml:title>
<maml:introduction><maml:para><maml:phrase>Administrators</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To allow only administrators to manage certificates used for code signing for a local computer</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>gpedit.msc</maml:userInput> in the <maml:ui>Search programs and files</maml:ui>, and then press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Default Domain Policy</maml:ui> or <maml:ui>Local Computer Policy</maml:ui>, double-click <maml:ui>Computer Configuration</maml:ui>, <maml:ui>Windows Settings</maml:ui>, and <maml:ui>Security Settings</maml:ui>, and then click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Trusted Publishers</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings </maml:ui>check box.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Trusted publisher management</maml:ui>, click <maml:ui>Allow only all administrators to manage Trusted Publishers</maml:ui>, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure></maml:introduction></maml:section><maml:section address="BKMK_Code_Domain"><maml:title>Allowing only administrators to manage certificates used for code signing for a domain</maml:title><maml:introduction><maml:para><maml:phrase>Domain Admins</maml:phrase> is the minimum group membership required to complete this procedure.</maml:para>
<maml:procedure><maml:title>To allow only administrators to manage certificates used for code signing for a domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and click <maml:ui>Server Manager</maml:ui>.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>. Select the <maml:ui>Group Policy Management </maml:ui>check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After the <maml:ui>Installation Results </maml:ui>page shows that the installation of the GPMC was successful, click <maml:ui>Close</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, point to <maml:ui>Administrative Tools</maml:ui>, and then click <maml:ui>Group Policy Management</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, double-click <maml:ui>Group Policy Objects</maml:ui> in the forest and domain containing the <maml:ui>Default Domain Policy</maml:ui> GPO that you want to edit.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Default Domain Policy</maml:ui> GPO, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under <maml:ui>Computer Configuration\Windows Settings\Security Settings</maml:ui>, click <maml:ui>Public Key Policies</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Double-click <maml:ui>Certificate Path Validation Settings</maml:ui>, and then click the <maml:ui>Trusted Publishers</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Define these policy settings</maml:ui> check box, implement the changes you want, and then click <maml:ui>OK</maml:ui> to apply the new settings.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Path Validation</maml:linkText><maml:uri href="mshelp://windows/?id=219dca64-eb32-4f48-8083-8a6c3dbaf237"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Request a Certificate Over the Web</maml:title><maml:introduction>
<maml:para>Certification authorities (CAs) can be accessed by using CA Web enrollment pages, which can be used to perform a variety of tasks related to requesting certificates. The default location of the CA Web enrollment pages is http://<maml:replaceable>servername</maml:replaceable>/certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the server that hosts the CA Web enrollment pages. </maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Submit a User Certificate Request over the Web</maml:linkText><maml:uri href="mshelp://windows/?id=145ad383-de56-457f-9211-ffcff80f16b6"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Submit an Advanced Certificate Request over the Web</maml:linkText><maml:uri href="mshelp://windows/?id=e8cef31a-070d-4f42-82db-efb7f8789583"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate by Using a PKCS #10 or PKCS #7 File</maml:linkText><maml:uri href="mshelp://windows/?id=13391cab-ada5-43f8-9f5d-b61e0abdc66d"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Check on a Pending Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=262b06b9-4142-4c98-a6bc-95d3a4cecb51"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Obtain a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=4ecbce82-4636-44a0-93ca-b664a186d22e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Active Directory Certificate Services Resources</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>For extensive evaluation, design, deployment, troubleshooting, and technical reference information, including white papers and Knowledge Base (KB) articles, see Active Directory Certificate Services (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=85613</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=85613"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For information about developing applications that use Active Directory Certificate Services (AD CS), see Win32 and COM Security Development (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=92771</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=92771"></maml:uri></maml:navigationLink>). </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For public information about public key infrastructures (PKIs), see the National Institute of Standards and Technology (NIST) PKI Web site (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=92772</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=92772"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>For information about the PKI X.509 (pkix) working group, see the Internet Engineering Task Force (IETF) Web site (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=29885</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=29885"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Submit an Advanced Certificate Request over the Web</maml:title><maml:introduction>
<maml:para>The policy of a certification authority (CA) determines the types of certificates a user can request and the options they can configure. If enabled, you can use the <maml:ui>Advanced Certificate Request</maml:ui> Web page to set the following options for each certificate requested: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Certificate template</maml:ui> (from an enterprise CA) or <maml:ui>Type of certificate needed</maml:ui> (from a stand-alone CA). Indicates what applications the public key in the certificate can be used for, such as client authentication or e-mail.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Cryptographic service provider (CSP)</maml:ui>. A CSP is responsible for creating keys, destroying them, and using them to perform a variety of cryptographic operations. Each CSP provides a different implementation of the CryptoAPI. Some provide stronger cryptographic algorithms, while others use hardware components, such as smart cards. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Key size</maml:ui>. The length, in bits, of the public key on the certificate. In general, longer keys are more difficult for a malicious user to break than shorter keys. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Hash algorithm</maml:ui>. A good hash algorithm makes it computationally infeasible to construct two independent inputs that have the same hash. Typical hash algorithms include MD2, MD4, MD5, and SHA-1. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Key usage</maml:ui>. How the private key can be used. <maml:ui>Exchange</maml:ui> means that the private key can be used to enable the exchange of sensitive information. <maml:ui>Signature</maml:ui> means that the private key can be used only to create a digital signature. <maml:ui>Both</maml:ui> means that the key can be used for both exchange and signature functions. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Create new key set </maml:ui>or<maml:ui> Use existing key set</maml:ui>. You can use an existing public and private key pair stored on your computer or create a new public and private key pair for a certificate. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Enable strong private key protection</maml:ui>. When you enable strong private key protection, you will be prompted for a password every time the private key needs to be used. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Mark keys as exportable</maml:ui>. When you mark keys as exportable, you can save the public key and the private key to a PKCS #12 file. This is useful if you change computers and want to move the key pair, or if you want to remove the key pair and secure them in another location. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Store certificates in the local computer certificate store</maml:ui>. Select this option if the computer will need access to the private key associated with the certificate when other users are logged on. Select this option when requesting certificates intended to be issued to computers (such as Web servers) instead of certificates issued to users. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Request format</maml:ui>. This section can be used to select either PKCS #10 or CMC formats. If you want to submit the request later, you can also select <maml:ui>Save request to file</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To submit an advanced certificate request over the Web</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open a Web browser. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open https://<maml:replaceable>servername</maml:replaceable>/certsrv, where <maml:replaceable>servername</maml:replaceable> is the name of the Web server hosting the CA Web enrollment pages. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Request a certificate</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Advanced certificate request</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Create and submit a certificate request to this CA</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Fill in any identifying information requested and any other options you require.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Submit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Do one of the following: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If the <maml:ui>Certificate Pending</maml:ui> Web page appears, see <maml:navigationLink><maml:linkText>Check on a Pending Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=262b06b9-4142-4c98-a6bc-95d3a4cecb51"></maml:uri></maml:navigationLink> for the procedure to check on a pending certificate.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If the <maml:ui>Certificate Issued</maml:ui> Web page appears, click <maml:ui>Install this certificate</maml:ui>.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>In order for a user to obtain a certificate by using Web enrollment, an administrator must set the appropriate permissions on the certificate templates on which the requested certificate is based. </maml:para>
</maml:listItem>
</maml:list>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Check on a Pending Certificate Request</maml:linkText><maml:uri href="mshelp://windows/?id=262b06b9-4142-4c98-a6bc-95d3a4cecb51"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request a Certificate Over the Web</maml:linkText><maml:uri href="mshelp://windows/?id=e06a5b6b-f864-49cc-85f4-f4870fac5559"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Public and Private Keys</maml:title><maml:introduction>
<maml:para>In public key encryption, two different keys are used to encrypt and decrypt information. The private key is a key that is known only to its owner, while the public key can be made known and available to other entities on the network. </maml:para>
<maml:para>The two keys are different but complementary in function. For example, a user's public key can be published within a certificate in a folder so that it is accessible to other people in the organization. The sender of a message can retrieve the user's certificate from Active Directory Domain Services, obtain the public key from the certificate, and then encrypt the message by using the recipient's public key. Information that is encrypted with the public key can be decrypted only by using the corresponding private key of the set, which remains with its owner, the recipient of the message.</maml:para>
<maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificates Overview</maml:linkText><maml:uri href="mshelp://windows/?id=ba6554ca-f33f-4dd3-beff-bd602018dcc5"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Cryptographic Service Providers</maml:linkText><maml:uri href="mshelp://windows/?id=934bccbb-a2f1-44b0-b725-e410ab613f59"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Active Directory Certificate Services Overview</maml:title><maml:introduction>
<maml:para>Active Directory Certificate Services (AD CS) role services can be set up on servers running operating systems including Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server. However, not all operating systems support all features or design requirements, and creating an optimal design requires careful planning and lab testing before you deploy AD CS in a production environment. Although you can deploy AD CS with a single server for a single certification authority (CA), deployments can involve multiple servers configured as root CAs, policy CAs, and issuing CAs, and other servers configured as Online Responders. </maml:para>
<maml:para>The following table lists the AD CS components that can be configured on different editions of Windows Server 2008 R2.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Components</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Web edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Standard edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Datacenter edition</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>CA</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Network Device Enrollment Service</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Online Responder service</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>CA Web Enrollment</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row><maml:entry><maml:para>Certificate Enrollment Web Service</maml:para></maml:entry><maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row><maml:entry><maml:para>Certificate Enrollment Policy Web Service</maml:para></maml:entry><maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:para>The following features are available on servers running Windows Server 2008 R2 that have been configured as CAs.</maml:para>
<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>AD CS features</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Web edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Standard edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enterprise edition</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Datacenter edition</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Customizable version 2 and version 3 certificate templates</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Key archival</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Role separation</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Certificate manager restrictions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Delegated enrollment agent restrictions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
<maml:row>
<maml:entry>
<maml:para>Certificate enrollment across forest boundaries</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction><maml:content><maml:sections><maml:section address="H2_54174995">
<maml:title>Customizing AD CS</maml:title><maml:introduction>
<maml:para>AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. For information about customizing AD CS, see Certificate Services Architecture (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=91405</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=91405"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Managing AD CS</maml:title><maml:introduction>
<maml:para>The following Microsoft Management Console (MMC) snap-ins can be used to manage AD CS:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Certification Authority</maml:phrase>. The primary tool for managing a CA, certificate revocation, and certificate enrollment. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Certificate Templates</maml:phrase>. Used to duplicate and configure certificate templates for publication to Active Directory Domain Services (AD DS) and for use with enterprise CAs.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Online Responder</maml:phrase>. Used to configure and manage Online Certificate Status Protocol (OCSP) responders.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Enterprise PKI</maml:phrase>. Used to monitor multiple CAs, certificate revocation lists (CRLs), and authority information access locations, and to manage AD CS objects that are published to AD DS.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:phrase>Certificates</maml:phrase>. Used to view and manage certificate stores for a computer, user, or service.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Public Key Infrastructures</maml:linkText><maml:uri href="mshelp://windows/?id=26af007f-65e7-4f2b-a154-2bdcc7af2657"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=964edfbd-d935-4352-b054-5e3dfe6c547e"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Enrollment Policy Web Service Overview</maml:linkText><maml:uri href="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Configuring Certificate Enrollment Web Services for Enrollment Across Forest Boundaries</maml:linkText><maml:uri href="mshelp://windows/?id=b5af94a1-4caf-4c05-b344-d996fdb9e2eb"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Stand-Alone Certification Authorities</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Stand-alone certification authorities (CAs) can issue certificates for purposes such as digital signatures, secure e-mail by using S/MIME (Secure Multipurpose Internet Mail Extensions), and authentication to a secure Web server by using Secure Sockets Layer (SSL) or Transport Layer Security (TLS).</maml:para>
<maml:para>A stand-alone CA has the following characteristics:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Unlike an enterprise CA, a stand-alone CA does not require the use of Active Directory Domain Services (AD DS). Even if you are using AD DS, stand-alone CAs can be used as offline trusted root CAs in a CA hierarchy or to issue certificates to clients over an extranet or the Internet. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>When users submit a certificate request to a stand-alone CA, they must provide their identifying information and specify the type of certificate they need. (This does not need to be done when submitting a request to an enterprise CA because the enterprise user's information is already in AD DS and the certificate type is described by a certificate template). The authentication information for requests is obtained from the local computer's Security Accounts Manager database.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>By default, all certificate requests sent to the stand-alone CA are set to pending until the administrator of the stand-alone CA verifies the submitted information and approves the request. The administrator has to perform these tasks because the certificate requester's credentials are not verified by the stand-alone CA.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>Certificate templates are not used.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>The administrator has to explicitly distribute the stand-alone CA's certificate to the domain user's trusted root store, or users must perform that task themselves.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If a cryptographic provider supporting elliptic curve cryptography (ECC) is used, a stand-alone CA will honor every key usage for the ECC key. For more information, see Cryptography Next Generation (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=85480</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=85480"></maml:uri></maml:navigationLink>).</maml:para>
</maml:listItem>
</maml:list>
<maml:para>When a stand-alone CA uses AD DS, the CA has these additional features: </maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>If a member of the Domain Admins group or an administrator with Write access to a domain controller installs a stand-alone root CA, it is automatically added to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. For this reason, if you install a stand-alone root CA in an Active Directory domain, you should not change the default action of the CA upon receiving certificate requests (which marks requests as pending). Otherwise, you will have a trusted root CA that automatically issues certificates without verifying the identity of the certificate requester.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>If a stand-alone CA is installed by a member of the Domain Admins group of the parent domain in the enterprise, or by an administrator with Write access to AD DS, then the stand-alone CA will publish its CA certificate and the certificate revocation list (CRL) to AD DS.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Types of Certification Authorities</maml:linkText><maml:uri href="mshelp://windows/?id=bac506b2-57be-45c2-bdf6-1f976eeeb475"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Find Certificates</maml:title><maml:introduction>
<maml:para>The<maml:ui> Find Certificates</maml:ui> dialog box allows you to locate certificates based on criteria that you specify. </maml:para>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To find a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the top <maml:ui>Certificates</maml:ui> node for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Find Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Fill in the requested information. The following options are available:</maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Find in</maml:ui>. Search in a specific certificate store, or search in all certificate stores. </maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Look in field</maml:ui>. Allows you to limit a search to one of the following fields: </maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:ui>Issued By</maml:ui>. The name or a portion of the name of the issuer.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Issued To</maml:ui>. The name or a portion of the name of the entity to which the certificate was issued.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>MD5 Hash</maml:ui>. The thumbprint value or a portion of thumbprint value of the MD5 hash used for this certificate.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>Serial Number</maml:ui>. The serial number or a portion of the serial number of the certificate.</maml:para></maml:listItem>
<maml:listItem><maml:para><maml:ui>SHA1 Hash</maml:ui>. The thumbprint value or a portion of thumbprint value of the SHA1 hash used for this certificate.</maml:para></maml:listItem></maml:list>
</maml:listItem>
<maml:listItem>
<maml:para><maml:ui>Contains</maml:ui>. The name, portion of a name, serial number, portion of a serial number, thumbprint value, or portion of a thumbprint value that you want to search for.</maml:para>
</maml:listItem>
</maml:list>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>After you have entered the appropriate information, click <maml:ui>Find Now</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Delete a Certificate</maml:title><maml:introduction>
<maml:para>Certificates can become obsolete for a number of reasons, such as when they are compromised, become corrupted, or are replaced by a new certificate. However, even when a certificate is deleted, the corresponding private key is not deleted.</maml:para>
<maml:alertSet class="important"><maml:title>Important </maml:title>
<maml:para>Before deleting a certificate, be sure that you will not need it later for purposes such as reading old documents that were encrypted with the certificate's private key.</maml:para>
</maml:alertSet>
<maml:para><maml:phrase>Users </maml:phrase>or local<maml:phrase> Administrators</maml:phrase> is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.</maml:para>
<maml:procedure><maml:title>To delete a certificate</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificates snap-in for a user, computer, or service.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree under the logical store that contains the certificate to delete, click <maml:ui>Certificates</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, click the certificate that you want to delete. (To select multiple certificates, hold down CTRL and click each certificate.)</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Delete</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Yes</maml:ui> if you are sure that you want to permanently delete the certificate.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:para><maml:phrase>Additional considerations</maml:phrase></maml:para>
<maml:list class="unordered">
<maml:listItem>
<maml:para>User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>To open the Certificates snap-in, see <maml:navigationLink><maml:linkText>Add the Certificates Snap-in to an MMC</maml:linkText><maml:uri href="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
<maml:listItem>
<maml:para>You might want to back up the certificate by exporting it before you delete it. For the procedure to export a certificate, see <maml:navigationLink><maml:linkText>Export a Certificate</maml:linkText><maml:uri href="mshelp://windows/?id=9936f79e-567a-4a65-8b23-43b7d35e9122"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><?xml version="1.0" encoding="utf-8"?>
<HelpCollection Id="certmgr" DTDVersion="1.0" FileVersion="" LangId="1033" Copyright="© 2005 Microsoft Corporation. All rights reserved." Title="Certificates" xmlns="http://schemas.microsoft.com/help/collection/2004/11">
<CompilerOptions CompileResult="H1S" CreateFullTextIndex="Yes" BreakerId="Microsoft.NLG.en.WordBreaker">
<IncludeFile File="certmgr.H1F" />
</CompilerOptions>
<TOCDef File="certmgr.H1T" Id="certmgr_TOC" />
<VTopicDef File="certmgr.H1V" />
<KeywordIndexDef File="certmgr_AssetId.H1K" />
<KeywordIndexDef File="certmgr_BestBet.H1K" />
<KeywordIndexDef File="certmgr_LinkTerm.H1K" />
<KeywordIndexDef File="certmgr_SubjectTerm.H1K" />
<ItemMoniker Name="!DefaultTOC" ProgId="HxDs.HxHierarchy" InitData="AnyString" />
<ItemMoniker Name="!DefaultFullTextSearch" ProgId="HxDs.HxFullTextSearch" InitData="AnyString" />
<ItemMoniker Name="!DefaultAssetIdIndex" ProgId="HxDs.HxIndex" InitData="AssetId" />
<ItemMoniker Name="!DefaultBestBetIndex" ProgId="HxDs.HxIndex" InitData="BestBet" />
<ItemMoniker Name="!DefaultAssociativeIndex" ProgId="HxDs.HxIndex" InitData="LinkTerm" />
<ItemMoniker Name="!DefaultKeywordIndex" ProgId="HxDs.HxIndex" InitData="SubjectTerm" />
</HelpCollection><?xml version="1.0" encoding="utf-8"?>
<HelpFileList xmlns="http://schemas.microsoft.com/help/filelist/2004/11">
<File Url="assets\0b14470f-97ed-43b5-8b3e-717ed832e2b3.xml" />
<File Url="assets\0cd73166-999e-4d69-8c99-41a510cc9c6d.xml" />
<File Url="assets\0d71e266-5cfd-4b01-ac32-81021d37875f.xml" />
<File Url="assets\0e5718dd-4e97-4618-8b06-8b6ff5a264d1.xml" />
<File Url="assets\13391cab-ada5-43f8-9f5d-b61e0abdc66d.xml" />
<File Url="assets\1403e7d1-3200-41f2-8d69-be89f4f6f140.xml" />
<File Url="assets\145ad383-de56-457f-9211-ffcff80f16b6.xml" />
<File Url="assets\18bc3367-d4b1-4309-b9ed-db68dcb817bb.xml" />
<File Url="assets\1fd54ffb-ab16-4d6e-aeb0-a973532c8e43.xml" />
<File Url="assets\211b51a2-999a-43c0-86ac-92a32cbe1dd2.xml" />
<File Url="assets\219dca64-eb32-4f48-8083-8a6c3dbaf237.xml" />
<File Url="assets\23654ad1-27f9-4a60-9a8a-d99728764562.xml" />
<File Url="assets\23855705-69c5-4d71-90f5-8f6718df840c.xml" />
<File Url="assets\23fccc11-eb65-46fe-a063-055ce972acf2.xml" />
<File Url="assets\257877c3-707d-4681-8648-28dbc6d36cfb.xml" />
<File Url="assets\25789028-bfc8-48f5-9432-82e74ea48d59.xml" />
<File Url="assets\262b06b9-4142-4c98-a6bc-95d3a4cecb51.xml" />
<File Url="assets\26af007f-65e7-4f2b-a154-2bdcc7af2657.xml" />
<File Url="assets\2e9e43a1-5201-41c3-9cdc-4da37713d37a.xml" />
<File Url="assets\31cae6ad-5e3b-4eee-923e-11683014c320.xml" />
<File Url="assets\34bc986a-a55c-4d4d-a073-cfad924b1187.xml" />
<File Url="assets\355962c2-4f6b-4cbd-ab00-6e7ee4dddc16.xml" />
<File Url="assets\3c7f161a-96d9-4ed1-9050-5279bd6a0c49.xml" />
<File Url="assets\3de3286a-efd8-4afc-8878-7a034355d90e.xml" />
<File Url="assets\3eefd65f-6591-4062-8759-4fd208e9b9d1.xml" />
<File Url="assets\3f7ef00a-b1af-4d5e-af78-cd8df001bad8.xml" />
<File Url="assets\47f4da34-b4e8-45b3-80be-89521b08ec7c.xml" />
<File Url="assets\4a9be825-e97d-4b0c-8b7b-a1f74a816619.xml" />
<File Url="assets\4ecbce82-4636-44a0-93ca-b664a186d22e.xml" />
<File Url="assets\4f9464fd-0968-4ce2-abc9-449008403225.xml" />
<File Url="assets\532adf18-b09e-416b-a966-ca74ee11aa38.xml" />
<File Url="assets\58107cc5-aedf-4212-9568-2dfe1a0b1452.xml" />
<File Url="assets\5d411321-7cc4-4027-8672-e011e2fb4d73.xml" />
<File Url="assets\61832e1a-ca90-4dd9-96b1-c647c0d17453.xml" />
<File Url="assets\61e3ea01-7b38-4ba8-a201-40ce9ba33f2c.xml" />
<File Url="assets\64541c74-8112-4496-9721-1ddabcae5f4b.xml" />
<File Url="assets\645cc20c-215c-4a8e-b624-40c8cbb3e1b5.xml" />
<File Url="assets\64e30de7-088f-4e77-9a69-d2b940b1777f.xml" />
<File Url="assets\66730f06-9190-4eb1-bf08-88c79f4a0a23.xml" />
<File Url="assets\67ba15f1-5648-480d-9886-a56a3e622d99.xml" />
<File Url="assets\67ca7b60-9ba5-401b-876e-fe8ee384b9ec.xml" />
<File Url="assets\68340bf6-9412-4a41-bb36-2ccc8c1ab5cf.xml" />
<File Url="assets\68354d8a-1cc2-491b-8352-053e133dcd2b.xml" />
<File Url="assets\69631784-438c-435a-be35-5ee1e1353c4d.xml" />
<File Url="assets\6b8b6b13-b4be-4a40-a696-352b40953286.xml" />
<File Url="assets\6f574ad3-c4e6-431c-b668-448e9111253b.xml" />
<File Url="assets\70588c7b-c9ba-425f-84e9-d4fe44f6e294.xml" />
<File Url="assets\70e5d64c-91ce-4355-a9c9-115fe0866911.xml" />
<File Url="assets\74f6e625-e656-41ff-af86-96eb2950c4c7.xml" />
<File Url="assets\7f0267d1-a209-42fd-bdcb-3bf006f7d6c1.xml" />
<File Url="assets\870fd126-5c68-4ecb-ab8a-a255370e9d9f.xml" />
<File Url="assets\8e6b017b-1658-4171-a18c-3d10fefed477.xml" />
<File Url="assets\92ad94a0-3eeb-4916-8fbe-05b803affa3e.xml" />
<File Url="assets\934bccbb-a2f1-44b0-b725-e410ab613f59.xml" />
<File Url="assets\93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1.xml" />
<File Url="assets\953d9851-ad11-46ac-82ad-769405c4a6ef.xml" />
<File Url="assets\964edfbd-d935-4352-b054-5e3dfe6c547e.xml" />
<File Url="assets\97af909c-e2f0-4a7e-8203-435aa9784623.xml" />
<File Url="assets\9936f79e-567a-4a65-8b23-43b7d35e9122.xml" />
<File Url="assets\b776e5d1-307b-42f2-b2d1-c6dce2a49c9b.xml" />
<File Url="assets\b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1.xml" />
<File Url="assets\ba0c1c06-47d1-4038-9189-294508e72c3b.xml" />
<File Url="assets\ba6554ca-f33f-4dd3-beff-bd602018dcc5.xml" />
<File Url="assets\bac506b2-57be-45c2-bdf6-1f976eeeb475.xml" />
<File Url="assets\bb23ebf2-6cd7-404c-908b-c30fce0dc8a6.xml" />
<File Url="assets\bb6d72af-520d-4b1c-a8b7-7b08c58220d4.xml" />
<File Url="assets\c29aefb0-902d-4c47-8408-a91d1e0978e0.xml" />
<File Url="assets\c2c2b497-274e-490f-935e-e8046f00e57d.xml" />
<File Url="assets\c7eefeb4-3ecc-45c5-9447-3b673903f76b.xml" />
<File Url="assets\d08d5ac3-2dc4-4069-b061-902e607f421d.xml" />
<File Url="assets\d641377f-de00-4342-b15f-4879a3859ded.xml" />
<File Url="assets\d6d69e62-0640-4055-bee9-8b4a993c6ac8.xml" />
<File Url="assets\d84b0b2f-1338-4c36-b363-747a4c09f47e.xml" />
<File Url="assets\dc434757-4be7-4017-b40b-eaaf39269c3f.xml" />
<File Url="assets\e06a5b6b-f864-49cc-85f4-f4870fac5559.xml" />
<File Url="assets\e2d10a64-83c5-4a2b-bcca-e6984de16fdf.xml" />
<File Url="assets\e8cef31a-070d-4f42-82db-efb7f8789583.xml" />
<File Url="assets\e944f472-806b-4e58-b162-d18acff72884.xml" />
<File Url="assets\ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2.xml" />
<File Url="assets\f4d0ff2c-e17f-4cf6-997b-413d844d71d0.xml" />
<File Url="assets\f6004c40-2b76-4231-895b-dbdc109989a2.xml" />
<File Url="assets\f6cda72d-99fb-4874-85ec-a2b4495493e8.xml" />
</HelpFileList><?xml version="1.0" encoding="utf-8"?>
<VTopicSet DTDVersion="1.0" xmlns="http://schemas.microsoft.com/help/vtopic/2004/11">
<Vtopic Url="assets\0b14470f-97ed-43b5-8b3e-717ed832e2b3.xml" RLTitle="Certificate Properties OCSP Tab">
<Attr Name="assetid" Value="0b14470f-97ed-43b5-8b3e-717ed832e2b3" />
<Keyword Index="AssetId" Term="0b14470f-97ed-43b5-8b3e-717ed832e2b3" />
<Keyword Index="AssetId" Term="0b14470f-97ed-43b5-8b3e-717ed832e2b31033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="0b14470f-97ed-43b5-8b3e-717ed832e2b3" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\0cd73166-999e-4d69-8c99-41a510cc9c6d.xml" RLTitle="Guidelines for Using Alternate Signature Formats">
<Attr Name="assetid" Value="0cd73166-999e-4d69-8c99-41a510cc9c6d" />
<Keyword Index="AssetId" Term="0cd73166-999e-4d69-8c99-41a510cc9c6d" />
<Keyword Index="AssetId" Term="0cd73166-999e-4d69-8c99-41a510cc9c6d1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="0cd73166-999e-4d69-8c99-41a510cc9c6d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\0d71e266-5cfd-4b01-ac32-81021d37875f.xml" RLTitle="Registration Authorities">
<Attr Name="assetid" Value="0d71e266-5cfd-4b01-ac32-81021d37875f" />
<Keyword Index="AssetId" Term="0d71e266-5cfd-4b01-ac32-81021d37875f" />
<Keyword Index="AssetId" Term="0d71e266-5cfd-4b01-ac32-81021d37875f1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="0d71e266-5cfd-4b01-ac32-81021d37875f" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\0e5718dd-4e97-4618-8b06-8b6ff5a264d1.xml" RLTitle="General Tab">
<Attr Name="assetid" Value="0e5718dd-4e97-4618-8b06-8b6ff5a264d1" />
<Keyword Index="AssetId" Term="0e5718dd-4e97-4618-8b06-8b6ff5a264d1" />
<Keyword Index="AssetId" Term="0e5718dd-4e97-4618-8b06-8b6ff5a264d11033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="0e5718dd-4e97-4618-8b06-8b6ff5a264d1" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\13391cab-ada5-43f8-9f5d-b61e0abdc66d.xml" RLTitle="Request a Certificate by Using a PKCS #10 or PKCS #7 File">
<Attr Name="assetid" Value="13391cab-ada5-43f8-9f5d-b61e0abdc66d" />
<Keyword Index="AssetId" Term="13391cab-ada5-43f8-9f5d-b61e0abdc66d" />
<Keyword Index="AssetId" Term="13391cab-ada5-43f8-9f5d-b61e0abdc66d1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="13391cab-ada5-43f8-9f5d-b61e0abdc66d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\1403e7d1-3200-41f2-8d69-be89f4f6f140.xml" RLTitle="Certificate Properties Extended Validation Tab">
<Attr Name="assetid" Value="1403e7d1-3200-41f2-8d69-be89f4f6f140" />
<Keyword Index="AssetId" Term="1403e7d1-3200-41f2-8d69-be89f4f6f140" />
<Keyword Index="AssetId" Term="1403e7d1-3200-41f2-8d69-be89f4f6f1401033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="1403e7d1-3200-41f2-8d69-be89f4f6f140" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\145ad383-de56-457f-9211-ffcff80f16b6.xml" RLTitle="Submit a User Certificate Request over the Web">
<Attr Name="assetid" Value="145ad383-de56-457f-9211-ffcff80f16b6" />
<Keyword Index="AssetId" Term="145ad383-de56-457f-9211-ffcff80f16b6" />
<Keyword Index="AssetId" Term="145ad383-de56-457f-9211-ffcff80f16b61033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="145ad383-de56-457f-9211-ffcff80f16b6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\18bc3367-d4b1-4309-b9ed-db68dcb817bb.xml" RLTitle="Manage Certificate Enrollment Policy by Using the Certificates Snap-in">
<Attr Name="assetid" Value="18bc3367-d4b1-4309-b9ed-db68dcb817bb" />
<Keyword Index="AssetId" Term="18bc3367-d4b1-4309-b9ed-db68dcb817bb" />
<Keyword Index="AssetId" Term="18bc3367-d4b1-4309-b9ed-db68dcb817bb1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="18bc3367-d4b1-4309-b9ed-db68dcb817bb" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\1fd54ffb-ab16-4d6e-aeb0-a973532c8e43.xml" RLTitle="Certificate File Formats">
<Attr Name="assetid" Value="1fd54ffb-ab16-4d6e-aeb0-a973532c8e43" />
<Keyword Index="AssetId" Term="1fd54ffb-ab16-4d6e-aeb0-a973532c8e43" />
<Keyword Index="AssetId" Term="1fd54ffb-ab16-4d6e-aeb0-a973532c8e431033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="1fd54ffb-ab16-4d6e-aeb0-a973532c8e43" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\211b51a2-999a-43c0-86ac-92a32cbe1dd2.xml" RLTitle="Enroll for Certificates on Behalf of Other Users">
<Attr Name="assetid" Value="211b51a2-999a-43c0-86ac-92a32cbe1dd2" />
<Keyword Index="AssetId" Term="211b51a2-999a-43c0-86ac-92a32cbe1dd2" />
<Keyword Index="AssetId" Term="211b51a2-999a-43c0-86ac-92a32cbe1dd21033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="211b51a2-999a-43c0-86ac-92a32cbe1dd2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\219dca64-eb32-4f48-8083-8a6c3dbaf237.xml" RLTitle="Certificate Path Validation">
<Attr Name="assetid" Value="219dca64-eb32-4f48-8083-8a6c3dbaf237" />
<Keyword Index="AssetId" Term="219dca64-eb32-4f48-8083-8a6c3dbaf237" />
<Keyword Index="AssetId" Term="219dca64-eb32-4f48-8083-8a6c3dbaf2371033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="219dca64-eb32-4f48-8083-8a6c3dbaf237" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\23654ad1-27f9-4a60-9a8a-d99728764562.xml" RLTitle="Credential Roaming">
<Attr Name="assetid" Value="23654ad1-27f9-4a60-9a8a-d99728764562" />
<Keyword Index="AssetId" Term="23654ad1-27f9-4a60-9a8a-d99728764562" />
<Keyword Index="AssetId" Term="23654ad1-27f9-4a60-9a8a-d997287645621033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="23654ad1-27f9-4a60-9a8a-d99728764562" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\23855705-69c5-4d71-90f5-8f6718df840c.xml" RLTitle="Renew a Certificate with a New Key">
<Attr Name="assetid" Value="23855705-69c5-4d71-90f5-8f6718df840c" />
<Keyword Index="AssetId" Term="23855705-69c5-4d71-90f5-8f6718df840c" />
<Keyword Index="AssetId" Term="23855705-69c5-4d71-90f5-8f6718df840c1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="23855705-69c5-4d71-90f5-8f6718df840c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\23fccc11-eb65-46fe-a063-055ce972acf2.xml" RLTitle="BitLocker Certificates">
<Attr Name="assetid" Value="23fccc11-eb65-46fe-a063-055ce972acf2" />
<Keyword Index="AssetId" Term="23fccc11-eb65-46fe-a063-055ce972acf2" />
<Keyword Index="AssetId" Term="23fccc11-eb65-46fe-a063-055ce972acf21033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="23fccc11-eb65-46fe-a063-055ce972acf2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\257877c3-707d-4681-8648-28dbc6d36cfb.xml" RLTitle="Sign Certificate Requests">
<Attr Name="assetid" Value="257877c3-707d-4681-8648-28dbc6d36cfb" />
<Keyword Index="AssetId" Term="257877c3-707d-4681-8648-28dbc6d36cfb" />
<Keyword Index="AssetId" Term="257877c3-707d-4681-8648-28dbc6d36cfb1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="257877c3-707d-4681-8648-28dbc6d36cfb" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\25789028-bfc8-48f5-9432-82e74ea48d59.xml" RLTitle="Display Certificates by Logical Certificate Stores">
<Attr Name="assetid" Value="25789028-bfc8-48f5-9432-82e74ea48d59" />
<Keyword Index="AssetId" Term="25789028-bfc8-48f5-9432-82e74ea48d59" />
<Keyword Index="AssetId" Term="25789028-bfc8-48f5-9432-82e74ea48d591033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="25789028-bfc8-48f5-9432-82e74ea48d59" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\262b06b9-4142-4c98-a6bc-95d3a4cecb51.xml" RLTitle="Check on a Pending Certificate Request">
<Attr Name="assetid" Value="262b06b9-4142-4c98-a6bc-95d3a4cecb51" />
<Keyword Index="AssetId" Term="262b06b9-4142-4c98-a6bc-95d3a4cecb51" />
<Keyword Index="AssetId" Term="262b06b9-4142-4c98-a6bc-95d3a4cecb511033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="262b06b9-4142-4c98-a6bc-95d3a4cecb51" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\26af007f-65e7-4f2b-a154-2bdcc7af2657.xml" RLTitle="Public Key Infrastructures">
<Attr Name="assetid" Value="26af007f-65e7-4f2b-a154-2bdcc7af2657" />
<Keyword Index="AssetId" Term="26af007f-65e7-4f2b-a154-2bdcc7af2657" />
<Keyword Index="AssetId" Term="26af007f-65e7-4f2b-a154-2bdcc7af26571033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="26af007f-65e7-4f2b-a154-2bdcc7af2657" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\2e9e43a1-5201-41c3-9cdc-4da37713d37a.xml" RLTitle="Display Certificate Stores">
<Attr Name="assetid" Value="2e9e43a1-5201-41c3-9cdc-4da37713d37a" />
<Keyword Index="AssetId" Term="2e9e43a1-5201-41c3-9cdc-4da37713d37a" />
<Keyword Index="AssetId" Term="2e9e43a1-5201-41c3-9cdc-4da37713d37a1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="2e9e43a1-5201-41c3-9cdc-4da37713d37a" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\31cae6ad-5e3b-4eee-923e-11683014c320.xml" RLTitle="Certificate Extensions">
<Attr Name="assetid" Value="31cae6ad-5e3b-4eee-923e-11683014c320" />
<Keyword Index="AssetId" Term="31cae6ad-5e3b-4eee-923e-11683014c320" />
<Keyword Index="AssetId" Term="31cae6ad-5e3b-4eee-923e-11683014c3201033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="31cae6ad-5e3b-4eee-923e-11683014c320" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\34bc986a-a55c-4d4d-a073-cfad924b1187.xml" RLTitle="Move Certificates">
<Attr Name="assetid" Value="34bc986a-a55c-4d4d-a073-cfad924b1187" />
<Keyword Index="AssetId" Term="34bc986a-a55c-4d4d-a073-cfad924b1187" />
<Keyword Index="AssetId" Term="34bc986a-a55c-4d4d-a073-cfad924b11871033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="34bc986a-a55c-4d4d-a073-cfad924b1187" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\355962c2-4f6b-4cbd-ab00-6e7ee4dddc16.xml" RLTitle="What is the Certificates Snap-in?">
<Attr Name="assetid" Value="355962c2-4f6b-4cbd-ab00-6e7ee4dddc16" />
<Keyword Index="AssetId" Term="355962c2-4f6b-4cbd-ab00-6e7ee4dddc16" />
<Keyword Index="AssetId" Term="355962c2-4f6b-4cbd-ab00-6e7ee4dddc161033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="355962c2-4f6b-4cbd-ab00-6e7ee4dddc16" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\3c7f161a-96d9-4ed1-9050-5279bd6a0c49.xml" RLTitle="Modify the Properties of a Certificate">
<Attr Name="assetid" Value="3c7f161a-96d9-4ed1-9050-5279bd6a0c49" />
<Keyword Index="AssetId" Term="3c7f161a-96d9-4ed1-9050-5279bd6a0c49" />
<Keyword Index="AssetId" Term="3c7f161a-96d9-4ed1-9050-5279bd6a0c491033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="3c7f161a-96d9-4ed1-9050-5279bd6a0c49" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\3de3286a-efd8-4afc-8878-7a034355d90e.xml" RLTitle="Save a Certificate Request in a File">
<Attr Name="assetid" Value="3de3286a-efd8-4afc-8878-7a034355d90e" />
<Keyword Index="AssetId" Term="3de3286a-efd8-4afc-8878-7a034355d90e" />
<Keyword Index="AssetId" Term="3de3286a-efd8-4afc-8878-7a034355d90e1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="3de3286a-efd8-4afc-8878-7a034355d90e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\3eefd65f-6591-4062-8759-4fd208e9b9d1.xml" RLTitle="Renew a Certificate with the Same Key">
<Attr Name="assetid" Value="3eefd65f-6591-4062-8759-4fd208e9b9d1" />
<Keyword Index="AssetId" Term="3eefd65f-6591-4062-8759-4fd208e9b9d1" />
<Keyword Index="AssetId" Term="3eefd65f-6591-4062-8759-4fd208e9b9d11033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="3eefd65f-6591-4062-8759-4fd208e9b9d1" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\3f7ef00a-b1af-4d5e-af78-cd8df001bad8.xml" RLTitle="Hash Algorithms">
<Attr Name="assetid" Value="3f7ef00a-b1af-4d5e-af78-cd8df001bad8" />
<Keyword Index="AssetId" Term="3f7ef00a-b1af-4d5e-af78-cd8df001bad8" />
<Keyword Index="AssetId" Term="3f7ef00a-b1af-4d5e-af78-cd8df001bad81033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="3f7ef00a-b1af-4d5e-af78-cd8df001bad8" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\47f4da34-b4e8-45b3-80be-89521b08ec7c.xml" RLTitle="Certification Path Tab">
<Attr Name="assetid" Value="47f4da34-b4e8-45b3-80be-89521b08ec7c" />
<Keyword Index="AssetId" Term="47f4da34-b4e8-45b3-80be-89521b08ec7c" />
<Keyword Index="AssetId" Term="47f4da34-b4e8-45b3-80be-89521b08ec7c1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="47f4da34-b4e8-45b3-80be-89521b08ec7c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\4a9be825-e97d-4b0c-8b7b-a1f74a816619.xml" RLTitle="Subject Names">
<Attr Name="assetid" Value="4a9be825-e97d-4b0c-8b7b-a1f74a816619" />
<Keyword Index="AssetId" Term="4a9be825-e97d-4b0c-8b7b-a1f74a816619" />
<Keyword Index="AssetId" Term="4a9be825-e97d-4b0c-8b7b-a1f74a8166191033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="4a9be825-e97d-4b0c-8b7b-a1f74a816619" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\4ecbce82-4636-44a0-93ca-b664a186d22e.xml" RLTitle="Obtain a Certificate">
<Attr Name="assetid" Value="4ecbce82-4636-44a0-93ca-b664a186d22e" />
<Keyword Index="AssetId" Term="4ecbce82-4636-44a0-93ca-b664a186d22e" />
<Keyword Index="AssetId" Term="4ecbce82-4636-44a0-93ca-b664a186d22e1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="4ecbce82-4636-44a0-93ca-b664a186d22e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\4f9464fd-0968-4ce2-abc9-449008403225.xml" RLTitle="Renew a Certificate">
<Attr Name="assetid" Value="4f9464fd-0968-4ce2-abc9-449008403225" />
<Keyword Index="AssetId" Term="4f9464fd-0968-4ce2-abc9-449008403225" />
<Keyword Index="AssetId" Term="4f9464fd-0968-4ce2-abc9-4490084032251033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="4f9464fd-0968-4ce2-abc9-449008403225" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\532adf18-b09e-416b-a966-ca74ee11aa38.xml" RLTitle="Certificate Properties Cross-Certificates Tab">
<Attr Name="assetid" Value="532adf18-b09e-416b-a966-ca74ee11aa38" />
<Keyword Index="AssetId" Term="532adf18-b09e-416b-a966-ca74ee11aa38" />
<Keyword Index="AssetId" Term="532adf18-b09e-416b-a966-ca74ee11aa381033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="532adf18-b09e-416b-a966-ca74ee11aa38" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\58107cc5-aedf-4212-9568-2dfe1a0b1452.xml" RLTitle="Manage Revocation Checking Policy">
<Attr Name="assetid" Value="58107cc5-aedf-4212-9568-2dfe1a0b1452" />
<Keyword Index="AssetId" Term="58107cc5-aedf-4212-9568-2dfe1a0b1452" />
<Keyword Index="AssetId" Term="58107cc5-aedf-4212-9568-2dfe1a0b14521033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="58107cc5-aedf-4212-9568-2dfe1a0b1452" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\5d411321-7cc4-4027-8672-e011e2fb4d73.xml" RLTitle="Certificates">
<Attr Name="assetid" Value="5d411321-7cc4-4027-8672-e011e2fb4d73" />
<Keyword Index="AssetId" Term="5d411321-7cc4-4027-8672-e011e2fb4d73" />
<Keyword Index="AssetId" Term="5d411321-7cc4-4027-8672-e011e2fb4d731033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="5d411321-7cc4-4027-8672-e011e2fb4d73" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\61832e1a-ca90-4dd9-96b1-c647c0d17453.xml" RLTitle="Encrypting File System (EFS)">
<Attr Name="assetid" Value="61832e1a-ca90-4dd9-96b1-c647c0d17453" />
<Keyword Index="AssetId" Term="61832e1a-ca90-4dd9-96b1-c647c0d17453" />
<Keyword Index="AssetId" Term="61832e1a-ca90-4dd9-96b1-c647c0d174531033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="61832e1a-ca90-4dd9-96b1-c647c0d17453" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\61e3ea01-7b38-4ba8-a201-40ce9ba33f2c.xml" RLTitle="Request a Certificate">
<Attr Name="assetid" Value="61e3ea01-7b38-4ba8-a201-40ce9ba33f2c" />
<Keyword Index="AssetId" Term="61e3ea01-7b38-4ba8-a201-40ce9ba33f2c" />
<Keyword Index="AssetId" Term="61e3ea01-7b38-4ba8-a201-40ce9ba33f2c1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="61e3ea01-7b38-4ba8-a201-40ce9ba33f2c" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\64541c74-8112-4496-9721-1ddabcae5f4b.xml" RLTitle="Certificate Enrollment Policy Servers">
<Attr Name="assetid" Value="64541c74-8112-4496-9721-1ddabcae5f4b" />
<Keyword Index="AssetId" Term="64541c74-8112-4496-9721-1ddabcae5f4b" />
<Keyword Index="AssetId" Term="64541c74-8112-4496-9721-1ddabcae5f4b1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="64541c74-8112-4496-9721-1ddabcae5f4b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\645cc20c-215c-4a8e-b624-40c8cbb3e1b5.xml" RLTitle="View Certificate Revocation List Details">
<Attr Name="assetid" Value="645cc20c-215c-4a8e-b624-40c8cbb3e1b5" />
<Keyword Index="AssetId" Term="645cc20c-215c-4a8e-b624-40c8cbb3e1b5" />
<Keyword Index="AssetId" Term="645cc20c-215c-4a8e-b624-40c8cbb3e1b51033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="645cc20c-215c-4a8e-b624-40c8cbb3e1b5" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\64e30de7-088f-4e77-9a69-d2b940b1777f.xml" RLTitle="Resources for Certificates">
<Attr Name="assetid" Value="64e30de7-088f-4e77-9a69-d2b940b1777f" />
<Keyword Index="AssetId" Term="64e30de7-088f-4e77-9a69-d2b940b1777f" />
<Keyword Index="AssetId" Term="64e30de7-088f-4e77-9a69-d2b940b1777f1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="64e30de7-088f-4e77-9a69-d2b940b1777f" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\66730f06-9190-4eb1-bf08-88c79f4a0a23.xml" RLTitle="Export a Certificate with the Private Key">
<Attr Name="assetid" Value="66730f06-9190-4eb1-bf08-88c79f4a0a23" />
<Keyword Index="AssetId" Term="66730f06-9190-4eb1-bf08-88c79f4a0a23" />
<Keyword Index="AssetId" Term="66730f06-9190-4eb1-bf08-88c79f4a0a231033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="66730f06-9190-4eb1-bf08-88c79f4a0a23" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\67ba15f1-5648-480d-9886-a56a3e622d99.xml" RLTitle="Add the Certificates Snap-in to an MMC">
<Attr Name="assetid" Value="67ba15f1-5648-480d-9886-a56a3e622d99" />
<Keyword Index="AssetId" Term="67ba15f1-5648-480d-9886-a56a3e622d99" />
<Keyword Index="AssetId" Term="67ba15f1-5648-480d-9886-a56a3e622d991033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="67ba15f1-5648-480d-9886-a56a3e622d99" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\67ca7b60-9ba5-401b-876e-fe8ee384b9ec.xml" RLTitle="View Certificate Properties">
<Attr Name="assetid" Value="67ca7b60-9ba5-401b-876e-fe8ee384b9ec" />
<Keyword Index="AssetId" Term="67ca7b60-9ba5-401b-876e-fe8ee384b9ec" />
<Keyword Index="AssetId" Term="67ca7b60-9ba5-401b-876e-fe8ee384b9ec1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="67ca7b60-9ba5-401b-876e-fe8ee384b9ec" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\68340bf6-9412-4a41-bb36-2ccc8c1ab5cf.xml" RLTitle="Import a Certificate">
<Attr Name="assetid" Value="68340bf6-9412-4a41-bb36-2ccc8c1ab5cf" />
<Keyword Index="AssetId" Term="68340bf6-9412-4a41-bb36-2ccc8c1ab5cf" />
<Keyword Index="AssetId" Term="68340bf6-9412-4a41-bb36-2ccc8c1ab5cf1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="68340bf6-9412-4a41-bb36-2ccc8c1ab5cf" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\68354d8a-1cc2-491b-8352-053e133dcd2b.xml" RLTitle="Request Certificates by Using the Certificate Request Wizard">
<Attr Name="assetid" Value="68354d8a-1cc2-491b-8352-053e133dcd2b" />
<Keyword Index="AssetId" Term="68354d8a-1cc2-491b-8352-053e133dcd2b" />
<Keyword Index="AssetId" Term="68354d8a-1cc2-491b-8352-053e133dcd2b1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="68354d8a-1cc2-491b-8352-053e133dcd2b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\69631784-438c-435a-be35-5ee1e1353c4d.xml" RLTitle="Automate Certificate Management">
<Attr Name="assetid" Value="69631784-438c-435a-be35-5ee1e1353c4d" />
<Keyword Index="AssetId" Term="69631784-438c-435a-be35-5ee1e1353c4d" />
<Keyword Index="AssetId" Term="69631784-438c-435a-be35-5ee1e1353c4d1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="69631784-438c-435a-be35-5ee1e1353c4d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\6b8b6b13-b4be-4a40-a696-352b40953286.xml" RLTitle="Display Certificates by Certificate Purpose">
<Attr Name="assetid" Value="6b8b6b13-b4be-4a40-a696-352b40953286" />
<Keyword Index="AssetId" Term="6b8b6b13-b4be-4a40-a696-352b40953286" />
<Keyword Index="AssetId" Term="6b8b6b13-b4be-4a40-a696-352b409532861033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="6b8b6b13-b4be-4a40-a696-352b40953286" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\6f574ad3-c4e6-431c-b668-448e9111253b.xml" RLTitle="Manage Certificates">
<Attr Name="assetid" Value="6f574ad3-c4e6-431c-b668-448e9111253b" />
<Keyword Index="AssetId" Term="6f574ad3-c4e6-431c-b668-448e9111253b" />
<Keyword Index="AssetId" Term="6f574ad3-c4e6-431c-b668-448e9111253b1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="6f574ad3-c4e6-431c-b668-448e9111253b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\70588c7b-c9ba-425f-84e9-d4fe44f6e294.xml" RLTitle="Manage Network Retrieval and Path Validation">
<Attr Name="assetid" Value="70588c7b-c9ba-425f-84e9-d4fe44f6e294" />
<Keyword Index="AssetId" Term="70588c7b-c9ba-425f-84e9-d4fe44f6e294" />
<Keyword Index="AssetId" Term="70588c7b-c9ba-425f-84e9-d4fe44f6e2941033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="70588c7b-c9ba-425f-84e9-d4fe44f6e294" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\70e5d64c-91ce-4355-a9c9-115fe0866911.xml" RLTitle="Enterprise Certification Authorities">
<Attr Name="assetid" Value="70e5d64c-91ce-4355-a9c9-115fe0866911" />
<Keyword Index="AssetId" Term="70e5d64c-91ce-4355-a9c9-115fe0866911" />
<Keyword Index="AssetId" Term="70e5d64c-91ce-4355-a9c9-115fe08669111033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="70e5d64c-91ce-4355-a9c9-115fe0866911" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\74f6e625-e656-41ff-af86-96eb2950c4c7.xml" RLTitle="Details Tab">
<Attr Name="assetid" Value="74f6e625-e656-41ff-af86-96eb2950c4c7" />
<Keyword Index="AssetId" Term="74f6e625-e656-41ff-af86-96eb2950c4c7" />
<Keyword Index="AssetId" Term="74f6e625-e656-41ff-af86-96eb2950c4c71033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="74f6e625-e656-41ff-af86-96eb2950c4c7" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\7f0267d1-a209-42fd-bdcb-3bf006f7d6c1.xml" RLTitle="Troubleshoot Certificate-Related Problems">
<Attr Name="assetid" Value="7f0267d1-a209-42fd-bdcb-3bf006f7d6c1" />
<Keyword Index="AssetId" Term="7f0267d1-a209-42fd-bdcb-3bf006f7d6c1" />
<Keyword Index="AssetId" Term="7f0267d1-a209-42fd-bdcb-3bf006f7d6c11033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="7f0267d1-a209-42fd-bdcb-3bf006f7d6c1" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\870fd126-5c68-4ecb-ab8a-a255370e9d9f.xml" RLTitle="Certificate Properties General Tab">
<Attr Name="assetid" Value="870fd126-5c68-4ecb-ab8a-a255370e9d9f" />
<Keyword Index="AssetId" Term="870fd126-5c68-4ecb-ab8a-a255370e9d9f" />
<Keyword Index="AssetId" Term="870fd126-5c68-4ecb-ab8a-a255370e9d9f1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="870fd126-5c68-4ecb-ab8a-a255370e9d9f" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\8e6b017b-1658-4171-a18c-3d10fefed477.xml" RLTitle="Create a Custom Certificate Request">
<Attr Name="assetid" Value="8e6b017b-1658-4171-a18c-3d10fefed477" />
<Keyword Index="AssetId" Term="8e6b017b-1658-4171-a18c-3d10fefed477" />
<Keyword Index="AssetId" Term="8e6b017b-1658-4171-a18c-3d10fefed4771033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="8e6b017b-1658-4171-a18c-3d10fefed477" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\92ad94a0-3eeb-4916-8fbe-05b803affa3e.xml" RLTitle="Display Archived Certificates">
<Attr Name="assetid" Value="92ad94a0-3eeb-4916-8fbe-05b803affa3e" />
<Keyword Index="AssetId" Term="92ad94a0-3eeb-4916-8fbe-05b803affa3e" />
<Keyword Index="AssetId" Term="92ad94a0-3eeb-4916-8fbe-05b803affa3e1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="92ad94a0-3eeb-4916-8fbe-05b803affa3e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\934bccbb-a2f1-44b0-b725-e410ab613f59.xml" RLTitle="Cryptographic Service Providers">
<Attr Name="assetid" Value="934bccbb-a2f1-44b0-b725-e410ab613f59" />
<Keyword Index="AssetId" Term="934bccbb-a2f1-44b0-b725-e410ab613f59" />
<Keyword Index="AssetId" Term="934bccbb-a2f1-44b0-b725-e410ab613f591033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="934bccbb-a2f1-44b0-b725-e410ab613f59" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1.xml" RLTitle="View Certificate Information">
<Attr Name="assetid" Value="93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1" />
<Keyword Index="AssetId" Term="93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1" />
<Keyword Index="AssetId" Term="93516ea6-dd2d-4903-9f8d-f9ebf7bc69d11033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\953d9851-ad11-46ac-82ad-769405c4a6ef.xml" RLTitle="Using Certificates">
<Attr Name="assetid" Value="953d9851-ad11-46ac-82ad-769405c4a6ef" />
<Keyword Index="AssetId" Term="953d9851-ad11-46ac-82ad-769405c4a6ef" />
<Keyword Index="AssetId" Term="953d9851-ad11-46ac-82ad-769405c4a6ef1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="953d9851-ad11-46ac-82ad-769405c4a6ef" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\964edfbd-d935-4352-b054-5e3dfe6c547e.xml" RLTitle="Certificate Enrollment Web Service Overview">
<Attr Name="assetid" Value="964edfbd-d935-4352-b054-5e3dfe6c547e" />
<Keyword Index="AssetId" Term="964edfbd-d935-4352-b054-5e3dfe6c547e" />
<Keyword Index="AssetId" Term="964edfbd-d935-4352-b054-5e3dfe6c547e1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="964edfbd-d935-4352-b054-5e3dfe6c547e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\97af909c-e2f0-4a7e-8203-435aa9784623.xml" RLTitle="EFS Certificates">
<Attr Name="assetid" Value="97af909c-e2f0-4a7e-8203-435aa9784623" />
<Keyword Index="AssetId" Term="97af909c-e2f0-4a7e-8203-435aa9784623" />
<Keyword Index="AssetId" Term="97af909c-e2f0-4a7e-8203-435aa97846231033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="97af909c-e2f0-4a7e-8203-435aa9784623" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\9936f79e-567a-4a65-8b23-43b7d35e9122.xml" RLTitle="Export a Certificate">
<Attr Name="assetid" Value="9936f79e-567a-4a65-8b23-43b7d35e9122" />
<Keyword Index="AssetId" Term="9936f79e-567a-4a65-8b23-43b7d35e9122" />
<Keyword Index="AssetId" Term="9936f79e-567a-4a65-8b23-43b7d35e91221033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="9936f79e-567a-4a65-8b23-43b7d35e9122" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b776e5d1-307b-42f2-b2d1-c6dce2a49c9b.xml" RLTitle="View the Certificates in a PKCS #7 file">
<Attr Name="assetid" Value="b776e5d1-307b-42f2-b2d1-c6dce2a49c9b" />
<Keyword Index="AssetId" Term="b776e5d1-307b-42f2-b2d1-c6dce2a49c9b" />
<Keyword Index="AssetId" Term="b776e5d1-307b-42f2-b2d1-c6dce2a49c9b1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b776e5d1-307b-42f2-b2d1-c6dce2a49c9b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1.xml" RLTitle="Certificate Enrollment Policy Web Service Overview">
<Attr Name="assetid" Value="b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1" />
<Keyword Index="AssetId" Term="b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1" />
<Keyword Index="AssetId" Term="b8def29c-47e2-4e6e-8fa6-f4c6db0d71b11033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\ba0c1c06-47d1-4038-9189-294508e72c3b.xml" RLTitle="View Certificates">
<Attr Name="assetid" Value="ba0c1c06-47d1-4038-9189-294508e72c3b" />
<Keyword Index="AssetId" Term="ba0c1c06-47d1-4038-9189-294508e72c3b" />
<Keyword Index="AssetId" Term="ba0c1c06-47d1-4038-9189-294508e72c3b1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="ba0c1c06-47d1-4038-9189-294508e72c3b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\ba6554ca-f33f-4dd3-beff-bd602018dcc5.xml" RLTitle="Certificates Overview">
<Attr Name="assetid" Value="ba6554ca-f33f-4dd3-beff-bd602018dcc5" />
<Keyword Index="AssetId" Term="ba6554ca-f33f-4dd3-beff-bd602018dcc5" />
<Keyword Index="AssetId" Term="ba6554ca-f33f-4dd3-beff-bd602018dcc51033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="ba6554ca-f33f-4dd3-beff-bd602018dcc5" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\bac506b2-57be-45c2-bdf6-1f976eeeb475.xml" RLTitle="Types of Certification Authorities">
<Attr Name="assetid" Value="bac506b2-57be-45c2-bdf6-1f976eeeb475" />
<Keyword Index="AssetId" Term="bac506b2-57be-45c2-bdf6-1f976eeeb475" />
<Keyword Index="AssetId" Term="bac506b2-57be-45c2-bdf6-1f976eeeb4751033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="bac506b2-57be-45c2-bdf6-1f976eeeb475" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\bb23ebf2-6cd7-404c-908b-c30fce0dc8a6.xml" RLTitle="Certificate Validity Periods">
<Attr Name="assetid" Value="bb23ebf2-6cd7-404c-908b-c30fce0dc8a6" />
<Keyword Index="AssetId" Term="bb23ebf2-6cd7-404c-908b-c30fce0dc8a6" />
<Keyword Index="AssetId" Term="bb23ebf2-6cd7-404c-908b-c30fce0dc8a61033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="bb23ebf2-6cd7-404c-908b-c30fce0dc8a6" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\bb6d72af-520d-4b1c-a8b7-7b08c58220d4.xml" RLTitle="Key Caching in Encrypting File System">
<Attr Name="assetid" Value="bb6d72af-520d-4b1c-a8b7-7b08c58220d4" />
<Keyword Index="AssetId" Term="bb6d72af-520d-4b1c-a8b7-7b08c58220d4" />
<Keyword Index="AssetId" Term="bb6d72af-520d-4b1c-a8b7-7b08c58220d41033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="bb6d72af-520d-4b1c-a8b7-7b08c58220d4" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c29aefb0-902d-4c47-8408-a91d1e0978e0.xml" RLTitle="View Certificate Trust List Details">
<Attr Name="assetid" Value="c29aefb0-902d-4c47-8408-a91d1e0978e0" />
<Keyword Index="AssetId" Term="c29aefb0-902d-4c47-8408-a91d1e0978e0" />
<Keyword Index="AssetId" Term="c29aefb0-902d-4c47-8408-a91d1e0978e01033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c29aefb0-902d-4c47-8408-a91d1e0978e0" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c2c2b497-274e-490f-935e-e8046f00e57d.xml" RLTitle="Autoenroll for a Certificate from the Certificates Snap-in">
<Attr Name="assetid" Value="c2c2b497-274e-490f-935e-e8046f00e57d" />
<Keyword Index="AssetId" Term="c2c2b497-274e-490f-935e-e8046f00e57d" />
<Keyword Index="AssetId" Term="c2c2b497-274e-490f-935e-e8046f00e57d1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c2c2b497-274e-490f-935e-e8046f00e57d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\c7eefeb4-3ecc-45c5-9447-3b673903f76b.xml" RLTitle="View Security Catalog Details">
<Attr Name="assetid" Value="c7eefeb4-3ecc-45c5-9447-3b673903f76b" />
<Keyword Index="AssetId" Term="c7eefeb4-3ecc-45c5-9447-3b673903f76b" />
<Keyword Index="AssetId" Term="c7eefeb4-3ecc-45c5-9447-3b673903f76b1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="c7eefeb4-3ecc-45c5-9447-3b673903f76b" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d08d5ac3-2dc4-4069-b061-902e607f421d.xml" RLTitle="Learn More About Certificate Stores">
<Attr Name="assetid" Value="d08d5ac3-2dc4-4069-b061-902e607f421d" />
<Keyword Index="AssetId" Term="d08d5ac3-2dc4-4069-b061-902e607f421d" />
<Keyword Index="AssetId" Term="d08d5ac3-2dc4-4069-b061-902e607f421d1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d08d5ac3-2dc4-4069-b061-902e607f421d" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d641377f-de00-4342-b15f-4879a3859ded.xml" RLTitle="Manage Certificate Enrollment Policy by Using Group Policy">
<Attr Name="assetid" Value="d641377f-de00-4342-b15f-4879a3859ded" />
<Keyword Index="AssetId" Term="d641377f-de00-4342-b15f-4879a3859ded" />
<Keyword Index="AssetId" Term="d641377f-de00-4342-b15f-4879a3859ded1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d641377f-de00-4342-b15f-4879a3859ded" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d6d69e62-0640-4055-bee9-8b4a993c6ac8.xml" RLTitle="CA Certificates">
<Attr Name="assetid" Value="d6d69e62-0640-4055-bee9-8b4a993c6ac8" />
<Keyword Index="AssetId" Term="d6d69e62-0640-4055-bee9-8b4a993c6ac8" />
<Keyword Index="AssetId" Term="d6d69e62-0640-4055-bee9-8b4a993c6ac81033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d6d69e62-0640-4055-bee9-8b4a993c6ac8" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\d84b0b2f-1338-4c36-b363-747a4c09f47e.xml" RLTitle="Manage Trusted Root Certificates">
<Attr Name="assetid" Value="d84b0b2f-1338-4c36-b363-747a4c09f47e" />
<Keyword Index="AssetId" Term="d84b0b2f-1338-4c36-b363-747a4c09f47e" />
<Keyword Index="AssetId" Term="d84b0b2f-1338-4c36-b363-747a4c09f47e1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="d84b0b2f-1338-4c36-b363-747a4c09f47e" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\dc434757-4be7-4017-b40b-eaaf39269c3f.xml" RLTitle="Manage Trusted Publishers">
<Attr Name="assetid" Value="dc434757-4be7-4017-b40b-eaaf39269c3f" />
<Keyword Index="AssetId" Term="dc434757-4be7-4017-b40b-eaaf39269c3f" />
<Keyword Index="AssetId" Term="dc434757-4be7-4017-b40b-eaaf39269c3f1033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="dc434757-4be7-4017-b40b-eaaf39269c3f" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e06a5b6b-f864-49cc-85f4-f4870fac5559.xml" RLTitle="Request a Certificate Over the Web">
<Attr Name="assetid" Value="e06a5b6b-f864-49cc-85f4-f4870fac5559" />
<Keyword Index="AssetId" Term="e06a5b6b-f864-49cc-85f4-f4870fac5559" />
<Keyword Index="AssetId" Term="e06a5b6b-f864-49cc-85f4-f4870fac55591033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e06a5b6b-f864-49cc-85f4-f4870fac5559" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e2d10a64-83c5-4a2b-bcca-e6984de16fdf.xml" RLTitle="Active Directory Certificate Services Resources">
<Attr Name="assetid" Value="e2d10a64-83c5-4a2b-bcca-e6984de16fdf" />
<Keyword Index="AssetId" Term="e2d10a64-83c5-4a2b-bcca-e6984de16fdf" />
<Keyword Index="AssetId" Term="e2d10a64-83c5-4a2b-bcca-e6984de16fdf1033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e2d10a64-83c5-4a2b-bcca-e6984de16fdf" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e8cef31a-070d-4f42-82db-efb7f8789583.xml" RLTitle="Submit an Advanced Certificate Request over the Web">
<Attr Name="assetid" Value="e8cef31a-070d-4f42-82db-efb7f8789583" />
<Keyword Index="AssetId" Term="e8cef31a-070d-4f42-82db-efb7f8789583" />
<Keyword Index="AssetId" Term="e8cef31a-070d-4f42-82db-efb7f87895831033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e8cef31a-070d-4f42-82db-efb7f8789583" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\e944f472-806b-4e58-b162-d18acff72884.xml" RLTitle="Public and Private Keys">
<Attr Name="assetid" Value="e944f472-806b-4e58-b162-d18acff72884" />
<Keyword Index="AssetId" Term="e944f472-806b-4e58-b162-d18acff72884" />
<Keyword Index="AssetId" Term="e944f472-806b-4e58-b162-d18acff728841033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="e944f472-806b-4e58-b162-d18acff72884" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2.xml" RLTitle="Active Directory Certificate Services Overview">
<Attr Name="assetid" Value="ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2" />
<Keyword Index="AssetId" Term="ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2" />
<Keyword Index="AssetId" Term="ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d21033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="ee335ea9-e1d1-4f85-b9a4-ab0a8e75a7d2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f4d0ff2c-e17f-4cf6-997b-413d844d71d0.xml" RLTitle="Stand-Alone Certification Authorities">
<Attr Name="assetid" Value="f4d0ff2c-e17f-4cf6-997b-413d844d71d0" />
<Keyword Index="AssetId" Term="f4d0ff2c-e17f-4cf6-997b-413d844d71d0" />
<Keyword Index="AssetId" Term="f4d0ff2c-e17f-4cf6-997b-413d844d71d01033" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f4d0ff2c-e17f-4cf6-997b-413d844d71d0" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f6004c40-2b76-4231-895b-dbdc109989a2.xml" RLTitle="Find Certificates">
<Attr Name="assetid" Value="f6004c40-2b76-4231-895b-dbdc109989a2" />
<Keyword Index="AssetId" Term="f6004c40-2b76-4231-895b-dbdc109989a2" />
<Keyword Index="AssetId" Term="f6004c40-2b76-4231-895b-dbdc109989a21033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f6004c40-2b76-4231-895b-dbdc109989a2" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
<Vtopic Url="assets\f6cda72d-99fb-4874-85ec-a2b4495493e8.xml" RLTitle="Delete a Certificate">
<Attr Name="assetid" Value="f6cda72d-99fb-4874-85ec-a2b4495493e8" />
<Keyword Index="AssetId" Term="f6cda72d-99fb-4874-85ec-a2b4495493e8" />
<Keyword Index="AssetId" Term="f6cda72d-99fb-4874-85ec-a2b4495493e81033" />
<Attr Name="appliesToProduct" Value="Windows 7" />
<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
<Attr Name="appliesToSite" Value="BWCOnly" />
<Attr Name="CommunityContent" Value="1" />
<Attr Name="WillHaveMamlFeed" Value="True" />
<Attr Name="zzpub_assetBug" Value="1753" />
<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
<Attr Name="zzpub_MTPSVersion" Value="11" />
<Attr Name="Locale" Value="kbEnglish" />
<Attr Name="AssetID" Value="f6cda72d-99fb-4874-85ec-a2b4495493e8" />
<Attr Name="TopicType" Value="kbArticle" />
</Vtopic>
</VTopicSet><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpTOC>
<HelpTOC xmlns="http://schemas.microsoft.com/help/toc/2004/11" DTDVersion="1.0" Id="certmgr_TOC" FileVersion="" LangId="1033" ParentNodeIcon="Book" PluginStyle="Hierarchical">
<HelpTOCNode Url="mshelp://windows/?tocid=226f612b-6bb5-46a3-8d20-292f408f03f8" Title="">
<HelpTOCNode Url="mshelp://windows/?id=5d411321-7cc4-4027-8672-e011e2fb4d73" Title="Certificates">
<HelpTOCNode Url="mshelp://windows/?id=355962c2-4f6b-4cbd-ab00-6e7ee4dddc16" Title="What is the Certificates Snap-in?" />
<HelpTOCNode Url="mshelp://windows/?id=ba6554ca-f33f-4dd3-beff-bd602018dcc5" Title="Certificates Overview">
<HelpTOCNode Url="mshelp://windows/?id=953d9851-ad11-46ac-82ad-769405c4a6ef" Title="Using Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=e944f472-806b-4e58-b162-d18acff72884" Title="Public and Private Keys" />
<HelpTOCNode Url="mshelp://windows/?id=1fd54ffb-ab16-4d6e-aeb0-a973532c8e43" Title="Certificate File Formats" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=67ba15f1-5648-480d-9886-a56a3e622d99" Title="Add the Certificates Snap-in to an MMC" />
<HelpTOCNode Url="mshelp://windows/?id=6f574ad3-c4e6-431c-b668-448e9111253b" Title="Manage Certificates">
<HelpTOCNode Url="mshelp://windows/?id=4ecbce82-4636-44a0-93ca-b664a186d22e" Title="Obtain a Certificate">
<HelpTOCNode Url="mshelp://windows/?id=c2c2b497-274e-490f-935e-e8046f00e57d" Title="Autoenroll for a Certificate from the Certificates Snap-in" />
<HelpTOCNode Url="mshelp://windows/?id=68354d8a-1cc2-491b-8352-053e133dcd2b" Title="Request Certificates by Using the Certificate Request Wizard">
<HelpTOCNode Url="mshelp://windows/?id=61e3ea01-7b38-4ba8-a201-40ce9ba33f2c" Title="Request a Certificate">
<HelpTOCNode Url="mshelp://windows/?id=4a9be825-e97d-4b0c-8b7b-a1f74a816619" Title="Subject Names" />
<HelpTOCNode Url="mshelp://windows/?id=31cae6ad-5e3b-4eee-923e-11683014c320" Title="Certificate Extensions" />
<HelpTOCNode Url="mshelp://windows/?id=934bccbb-a2f1-44b0-b725-e410ab613f59" Title="Cryptographic Service Providers" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=8e6b017b-1658-4171-a18c-3d10fefed477" Title="Create a Custom Certificate Request" />
<HelpTOCNode Url="mshelp://windows/?id=3de3286a-efd8-4afc-8878-7a034355d90e" Title="Save a Certificate Request in a File" />
<HelpTOCNode Url="mshelp://windows/?id=257877c3-707d-4681-8648-28dbc6d36cfb" Title="Sign Certificate Requests" />
<HelpTOCNode Url="mshelp://windows/?id=b8def29c-47e2-4e6e-8fa6-f4c6db0d71b1" Title="Certificate Enrollment Policy Web Service Overview" />
<HelpTOCNode Url="mshelp://windows/?id=964edfbd-d935-4352-b054-5e3dfe6c547e" Title="Certificate Enrollment Web Service Overview" />
<HelpTOCNode Url="mshelp://windows/?id=64541c74-8112-4496-9721-1ddabcae5f4b" Title="Certificate Enrollment Policy Servers">
<HelpTOCNode Url="mshelp://windows/?id=d641377f-de00-4342-b15f-4879a3859ded" Title="Manage Certificate Enrollment Policy by Using Group Policy" />
<HelpTOCNode Url="mshelp://windows/?id=18bc3367-d4b1-4309-b9ed-db68dcb817bb" Title="Manage Certificate Enrollment Policy by Using the Certificates Snap-in" />
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=e06a5b6b-f864-49cc-85f4-f4870fac5559" Title="Request a Certificate Over the Web">
<HelpTOCNode Url="mshelp://windows/?id=145ad383-de56-457f-9211-ffcff80f16b6" Title="Submit a User Certificate Request over the Web" />
<HelpTOCNode Url="mshelp://windows/?id=e8cef31a-070d-4f42-82db-efb7f8789583" Title="Submit an Advanced Certificate Request over the Web" />
<HelpTOCNode Url="mshelp://windows/?id=13391cab-ada5-43f8-9f5d-b61e0abdc66d" Title="Request a Certificate by Using a PKCS #10 or PKCS #7 File" />
<HelpTOCNode Url="mshelp://windows/?id=262b06b9-4142-4c98-a6bc-95d3a4cecb51" Title="Check on a Pending Certificate Request" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=211b51a2-999a-43c0-86ac-92a32cbe1dd2" Title="Enroll for Certificates on Behalf of Other Users">
<HelpTOCNode Url="mshelp://windows/?id=0d71e266-5cfd-4b01-ac32-81021d37875f" Title="Registration Authorities" />
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=4f9464fd-0968-4ce2-abc9-449008403225" Title="Renew a Certificate">
<HelpTOCNode Url="mshelp://windows/?id=3eefd65f-6591-4062-8759-4fd208e9b9d1" Title="Renew a Certificate with the Same Key" />
<HelpTOCNode Url="mshelp://windows/?id=23855705-69c5-4d71-90f5-8f6718df840c" Title="Renew a Certificate with a New Key" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=ba0c1c06-47d1-4038-9189-294508e72c3b" Title="View Certificates">
<HelpTOCNode Url="mshelp://windows/?id=2e9e43a1-5201-41c3-9cdc-4da37713d37a" Title="Display Certificate Stores">
<HelpTOCNode Url="mshelp://windows/?id=d08d5ac3-2dc4-4069-b061-902e607f421d" Title="Learn More About Certificate Stores" />
<HelpTOCNode Url="mshelp://windows/?id=25789028-bfc8-48f5-9432-82e74ea48d59" Title="Display Certificates by Logical Certificate Stores" />
<HelpTOCNode Url="mshelp://windows/?id=6b8b6b13-b4be-4a40-a696-352b40953286" Title="Display Certificates by Certificate Purpose" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=93516ea6-dd2d-4903-9f8d-f9ebf7bc69d1" Title="View Certificate Information">
<HelpTOCNode Url="mshelp://windows/?id=0e5718dd-4e97-4618-8b06-8b6ff5a264d1" Title="General Tab" />
<HelpTOCNode Url="mshelp://windows/?id=74f6e625-e656-41ff-af86-96eb2950c4c7" Title="Details Tab">
<HelpTOCNode Url="mshelp://windows/?id=bb23ebf2-6cd7-404c-908b-c30fce0dc8a6" Title="Certificate Validity Periods" />
<HelpTOCNode Url="mshelp://windows/?id=3f7ef00a-b1af-4d5e-af78-cd8df001bad8" Title="Hash Algorithms" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=47f4da34-b4e8-45b3-80be-89521b08ec7c" Title="Certification Path Tab" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=67ca7b60-9ba5-401b-876e-fe8ee384b9ec" Title="View Certificate Properties">
<HelpTOCNode Url="mshelp://windows/?id=870fd126-5c68-4ecb-ab8a-a255370e9d9f" Title="Certificate Properties General Tab" />
<HelpTOCNode Url="mshelp://windows/?id=532adf18-b09e-416b-a966-ca74ee11aa38" Title="Certificate Properties Cross-Certificates Tab" />
<HelpTOCNode Url="mshelp://windows/?id=0b14470f-97ed-43b5-8b3e-717ed832e2b3" Title="Certificate Properties OCSP Tab" />
<HelpTOCNode Url="mshelp://windows/?id=1403e7d1-3200-41f2-8d69-be89f4f6f140" Title="Certificate Properties Extended Validation Tab" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=b776e5d1-307b-42f2-b2d1-c6dce2a49c9b" Title="View the Certificates in a PKCS #7 file" />
<HelpTOCNode Url="mshelp://windows/?id=92ad94a0-3eeb-4916-8fbe-05b803affa3e" Title="Display Archived Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=645cc20c-215c-4a8e-b624-40c8cbb3e1b5" Title="View Certificate Revocation List Details" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=3c7f161a-96d9-4ed1-9050-5279bd6a0c49" Title="Modify the Properties of a Certificate" />
<HelpTOCNode Url="mshelp://windows/?id=f6cda72d-99fb-4874-85ec-a2b4495493e8" Title="Delete a Certificate" />
<HelpTOCNode Url="mshelp://windows/?id=f6004c40-2b76-4231-895b-dbdc109989a2" Title="Find Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=34bc986a-a55c-4d4d-a073-cfad924b1187" Title="Move Certificates">
<HelpTOCNode Url="mshelp://windows/?id=68340bf6-9412-4a41-bb36-2ccc8c1ab5cf" Title="Import a Certificate" />
<HelpTOCNode Url="mshelp://windows/?id=9936f79e-567a-4a65-8b23-43b7d35e9122" Title="Export a Certificate" />
<HelpTOCNode Url="mshelp://windows/?id=66730f06-9190-4eb1-bf08-88c79f4a0a23" Title="Export a Certificate with the Private Key" />
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=69631784-438c-435a-be35-5ee1e1353c4d" Title="Automate Certificate Management">
<HelpTOCNode Url="mshelp://windows/?id=23654ad1-27f9-4a60-9a8a-d99728764562" Title="Credential Roaming" />
<HelpTOCNode Url="mshelp://windows/?id=219dca64-eb32-4f48-8083-8a6c3dbaf237" Title="Certificate Path Validation">
<HelpTOCNode Url="mshelp://windows/?id=d84b0b2f-1338-4c36-b363-747a4c09f47e" Title="Manage Trusted Root Certificates" />
<HelpTOCNode Url="mshelp://windows/?id=dc434757-4be7-4017-b40b-eaaf39269c3f" Title="Manage Trusted Publishers" />
<HelpTOCNode Url="mshelp://windows/?id=70588c7b-c9ba-425f-84e9-d4fe44f6e294" Title="Manage Network Retrieval and Path Validation" />
<HelpTOCNode Url="mshelp://windows/?id=58107cc5-aedf-4212-9568-2dfe1a0b1452" Title="Manage Revocation Checking Policy" />
</HelpTOCNode>
</HelpTOCNode>
</HelpTOCNode>
<HelpTOCNode Url="mshelp://windows/?id=7f0267d1-a209-42fd-bdcb-3bf006f7d6c1" Title="Troubleshoot Certificate-Related Problems" />
<HelpTOCNode Url="mshelp://windows/?id=64e30de7-088f-4e77-9a69-d2b940b1777f" Title="Resources for Certificates" />
</HelpTOCNode>
</HelpTOCNode>
</HelpTOC><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="AssetId" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="BestBet" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="LinkTerm" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="SubjectTerm" /> uU�P!�F�E��O3o0(]{P!!(넰BD$%*EJP!*$Ep{�DFЬ�na=l <R_l6Z%R
4D;3\`u�x[
+ 7>! X���s8AbA%+Vi2[Ъ;u7zVbfi\k}~-yv/\.GM~ÆuY
v쵗Zj2f;w/?=lvkݳj]v??K;c~Rgoc>G~-
nex`-~]kRM^&
_^Ss\a556~{S
Ӱ}~lj};"Kztǽ־nΡz-]kvkl4W?;Qm[B>Ζ ҇QpQy]㷥&ֺcXkmOtЃ.o/a
].
]ZMKw5-Sp7=!.'e
?�WHM~k5G\e
w^O^?
Z>i/{/XƊKc䇟슯5 mGӽWV
/^
9uk
5t/zg5[k
m4:s\O1^_>
~;֩Q{=/.~ȼZ[
߱;8 njyk5lEWjbVy<ךW|5´~7WSkuܹ]&Ϲ]kOT[+ܵe=>ɭ!{G5Wݽҿ{54
/
OW[y
k-wo/v7O|}f?VpdNvtRmO=
s2_p~?ݗ|t_4X/,MG]p
>|y CO?_4yN§6
X=ІOh{~ }Ü4FK~|;p.Gi oH#^?O9NwqO<GҤ
_em
ޯCG_N cRGί3髟qһޯ;Z:&;տWV ^=C:>+W:^ tjs
.S;4[ ͥt
m;4ɽpo.Pѹl.y9ҏisM.y>=Ϛ-:==vK{in{s.QNХdFлocurَrVtOIi{-]zK63=K{iǎCS>KK;NH?G|˹}WS6̫6
2չ~<|C 8·>w|C@ Їu?=}Cm}C #}Cʤs}ZG+ˎ>[z>;lFK}__~
_^M7gzvjF-
G?z><P_ل^Z
zKg~5gͯ×=u>.ೲ+
2e~ Q؊\>c/X.f|;.fo]$GG7'S|v2˺v9e9e9e9:eִsny_ѓ//sєʗ藙`Ya/sіԗ/.1__f3s/)̏
̗ocG̏&̞siGGwm{oG̎.mv
2<#>v|v?p
wnߠ}ԓ}#rϽGM u;Jxwy{O !
}
|'gG ~;T?뇁
h}>xQ#ه
>qx6<Q' ;e|1wW8 re.3ݽxo ͱv ytCytW/o
M)
ϡSJLtO)vRS
{JHN))=S
=
S0^:{JJtN))>S
p>
SJ
|P)LN)R
KS >S
uJ)LN)R)+>S
|J^X8R):uJ)̎O¸R )R#)>
KSJ|a|J`8R-)RS
0>
gS
;vJ)LOO)RS
vJ)N);^ϧJvN))>S
p>
SJ
wN))Rx˝S
wJ)LO¸RK);xR8M);ӧJF}wJ)N)>
SJ^})O)>
S
<xJ)LO¸Rc)RXg)>
SJxO))^<RR3o
뭮ƹqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqgqg|
6p]
Őb.PpŐb{1aߋb1|
_/CabxD~1
_aPb^
_/o/1
:|b/!b8
#_/ÉŰHb1Z|f/!0<|1j7_
/!1Lz|
? _/p/ápHb1,~_
õ1d{~1
(_/Ôb1\|o/Ö|1r/|1c_
2/!Űhb1|
s:_/Ý!b}1BC
y9omDEhZ-EѢh-ZEhZ-EѢh-ZEhZ-EѢh-ZEhZ-EѢh-ZEhZ-EѢh-ZEhZ-EѢh-ZEhZ-EѢh-ZEhZ-EѢhS>"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""<"͊gn^=o!nݣr' CͯM
_6Կp'])ەt˦j~ۇzc┺nN8N9fS锺 ]3<|͞=;ֻנ
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.
¸p.\
p\.ńm&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&?&1<ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x5D7\Xe]7AYn`7`,X
`X,
`,X
`X;,,;,
`,X
`X,
`,X
?+`ٰ`X,
`,X
|Y,X
`}hW,j!:`X,
`,X
a>[_#
ւ`X,
vG
j|;`B >v q;Fc
(}དw>לɩ:; W|룁
h}>xQ#ه
>}x_P<b!3䉻7.Wiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii&Uiiiiiiiiiiiiiiiiiiiiiiiiiiiݶ|~ilizniiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii=
UW*\rU*W\啫rUW*\rUg\rU*W\啫rUW*\rU*W\啫rUW*\rU*W\啫rUW*\rU*W\啫rUW*\rU*W\啫rUW*\rU*W\啫rUW*\[iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiio44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44M j͖M٤Ujl&R
jقUa'[85ٰg6/44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44M|y*W\啫rUW*\rU*W\啫rUW*\rU*W\啫rUW*\rU*W\啫rUW*\rU*W\啫rUW*\rU*W\啫rUW*\r+Px)iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiimiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii{ے4MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44Mimaw.}O[mPɃ.囟NW2v.SyghvNw EϚWsi}DyfG)珹ԳϻW #O
_]&v]}gLUWywwm//K'?v/Bqs&obÆfmod iÿq18oupyyG<zʫy
֓_W+w/.ώǃ?qw.)+{1
��%
B wH%ZFm7#n5u݊YgN
3DCEWupD|ټw
}rBu�~.F^|Ѥ
]kW E
Q$32 Mjm%,Uͣ#m&n"\aUMSiqwZB9
bpk.S=H|)\o��(�# gϔxc;3J"8b
T}p
�;:
R^mڜ`K~
:t@w̦x\[%F]/1A ⛖zn]6Z=wϹ0٭ρ2 9o
.
hORA?QTGmETO+w^A(s'tcsU]ڏ3+:\M(BuϳтzdG
,F8EREJ<B3>l9a=f,{*W<mB;*U>γۑO$|qS?LG
ÁzuBs~wڡ0o5M\ELZo#mjǶIûUCj1$АSc84Wt
.>\
~ގ�]^3MB7ہ/O}><nXl!}1
D,5AT.[~
y#(l_
Xxs23p-J>sT
^BcyF"(9
&'`D`e }}
:w�c @!s[<< FN:khq
[Ulp)&
y]EO٠^2
ՕnQUkϼu d??C|=#+=;/42
@o;(F9-S8Qbh$H5O3R>#W5Ζ3T+Kzf|.]6:sO9D-|ITq
wԌ
/Nz8-}eVbGGۗwRX3*+Ư0 OWiN:zi~SngL(I<GYͮ`NwٍEۍ
u:D@jTL69BKD<7{kz
M<
d%J.3dFGwS,;۬ Me{LT-AA!ԵbNLKaf2(̾݉
"M- Q,'C
&~ÖJxj[o'F{]92 63A7+WDž5
lf`J)?GY
BoKBƖr{8$$:&»}`Hm5
ٮ\=֙c
la[x u$
ܜ
'f=
ʆ
ML](
`*J[a٪Rui.w�~^.~5H
wDƊ`E)J;ԪU=PwGLijjE
%
SOۄ"Fؠ#
Dx[udCsZ{F"MSYRq~7LAEifK{ajX{ks=Ş.4Z
܄ɾt
b
UC3Vӣj|CM%
ASUv6b2:u
BOG"4k
}=,).'y=
6k!?kl1_㕰;*5bjM5E~$
c%>A g D5t�;'spst}OeHٙvu;Ɲ]4"3BewN?pZ�n2#Qf 4<9
I*:Rޮ=o)|Hd]MHG[(0ID>V"F >;"dtbI[dY
"DIb Z:7TI/9}AHEI(/R2؛ZAϧc
0
CYl+ )eH 0]T<>錾bܵ
xT7iRT`p NpT=XXdL
)6Rf͎w< aTKݯ` ~j~
&'i+aV3@L;qo7tS}]J@Tsࡌ(;{[!ݓ
u@<r̂Z<8
w
6kF,tK(i,
4CQx(mɌ
fep`iDž!l$` Tֲ29YY6.Z췵3;MĽ~K"f
Hq߽-J$t~3Z\X*nYʞKnR$' x3~J^QȒ:ց@}{w*dpeߖ Z*_97Z!J[Sm]~S01a.;yR>
\ւ5ׯR*P/ 'ZI(_Mj*Β^G�}-0
.~qR?d
q6AO78p.zZ>?kT`:0;FĝZV
Sʚm=ua{ûpբ3#p3^Q_V"UlB} "z{cmrz;4֚!
|;T9H;Ced78ôO�-;S>
[vC%}i\)+tM@e vp%d:3Y1G
GK7NŻ-ҥhwp\Pb$X
/{k%;ƑW˨7YAAeww|pjD5BMijޫ>V»
~c~>"yt-u~
nXB OA~ֹeL_ gVk8U9C$%E#KNj;PS�>IBpiexs~D*~PH/6{\IHd�uMIue{|ZƑ
\]BkƺtucYh
ejsٜұ1ˌrn�`
JPp]VoUX8S
us8@PxX[69l-5̺eJ_K
,*%U|b$K4dsa3|.HK
Leb~w
QY5Hv1?y/xkd4Y9)GTNN
Ak7_[TY'
sȪۇo$Ob@
agtLub!+Rq\o&W@{4lP[?jݒoo*Fp _Ǘ/u|'-JXvKƥbbrX9_Gb*߭vK
} bj_b)9
c0=HSx_\}C͟RC+KRa0
)>i:W KT0bZ
;s
9Z�3Z2ni0
úC#DOLh1
j1%sE<XsjnQ&SA\ͱo7!F-<׃2^X¼
?
ڒS
T_~˝S6sPJiaP+;*A&3wwJB
lyM?2hWy S
ZJک,OtP;u` ә꣑hiGUű
AhwTyv[17ɐóCPZ<ϱ[<O,X2:9+TXҗ|<iؚ5+TysWJ>s"赲:o+egz2"NHf!ru=Zv~-xؤZ-~ɘ #IomOۃ
5C+g_皉Gp@F/{8
\AEh
-ZpX;}Гvf8
O[M
6:S)-.*Ie
{,
Δ
nN)+$)6)dL]dw4ܵio6ȄkP20yu*S?:
T$8۸Xю-+**x
};YMg\
/BXv*
KF݃e2>VM3\tv'D#$PBȦ
U5*_^G
MO=xvܱ{Q\ǾR:"j̛e2]B~i{+BR[_m ^@ߐ(eoݹ �jE)^RYS. u
>A)rơ|Lx[lU5T Oz_3k}1�x7CS|[$&^%`.ۘ]&[_YӅZ-ZVH+x
֦3Ys
\eY"'T-tJt6rj{WUjvɐi.Eb|BA~¡kWHjf,ΜF{ǣt)i+,
Xv=9#>1
1EC˨y[4
Zeмڴj
̆*N/ik%sO\;cZ!w[wi%C
ax#}Ԥ?Tfhk (śQo
�n;mځE�ÀřҾNTІ3hEc;2#@_ Cᶇi}kGٛDS~շأ(1Z1P0HZFjCsfzL%Ұ*rt;m?LF{R5G)
BũhRW
lF8%-|![wEJ$+i]s
O
c�R?գ
x7FO-d <a^jНJ
TeV⏁L壒bb?vZG |�;W]4 ?ؖ|wlGrVÑz~2߽ekvP<-|!꭛!>Z
!bbFE7Ubʺ
ww
= 9
PݡͿH?_z 1/UjH9F-[ {Z6%� 7c@ҤJ(T߷G[Z>}93oxQ"-OfSf\)b
f<}wm%-j%jrJ2)6BHӌy|=֖�rJ
sD,.⓫<]FWbMN)8JM$
0tFEe2XN
2\AOwU*dY
2,5*[=.7N{űaFA[._)L"ItUMW[`pX-J}0;�,*G}s@v_LGBw݅y/íqKpZO
?zP-?XLLKEZYv+f
UeZ81Ay:A3-q P
xh
#X:pptur
9
?j�WI {
O 8<@�k|]>aV'Vp)V6?OS?OSԟ?OS?OSԟ�7�9
)jk�L
S@
GPK*nD5^tf~2]�ҴGIA#:](-T
swN
tKy0
ۡ8z'">֛pP+cc*m}>@v
&+%}Ņ*IK\&D5Uz
m{ U :B?klMֈW&0S)I\cUoםZ'
.,p42=%F7jgpAqWY\BN,5
??e.[(D(ޠӅ/~Fq_
SJ0r֞ʆ"
Q$̦l
e
!"
]Ptb\
q7Ӥob<,2wkc&}EپN
&[]=@{?LX9[[f!:n"5݃- '囮&rد1#HǏANjo7Fĺ;D8Vd-}_35&Y\Fe{*
ΦבU
&1GHTByRSN<b͠.KA
go]Ejٙk"!#Q␓q
U/C{ d#AfX͒"j"@ LwrY>
*Bei^pXRk:JKӫ7AN2VErkȼ'XeyzJ]h�NC_m~0O�Ly^Q_?i;
hqX+L9 7�^ ߭u
#Bl.\־9?=Ho;6! O¡ "ѵhPkddA
C˷29k
m u0Vp~0ubOl%EUgJ\8IQzCwj^HSzu~
F_Q
8bT-
m h5gV4Mm٪~V]lkf:2xbLqї//^jpC<2+pװ*K(;
7m3|ΆUcU^R)rly-[@ܗ)GP2îE2JI^"d�6&;?|zZCRe¿P2�6~y
ׂ6I!?Ƹfֈ&c/f`>ګy|RQIwr.mG.{*#KWYh9nlqejiBsaLEA
%UBg.
bwcZdp&SٯZzV#,@Az$
hUraXpA3Z;@Fdj~EU"
v4+5{jgYCĹ|SyZkn^7u1.vb3`!Yvrqq+I$E"c͝ω%`Mmpݯ6
oc
K%
Ӌtl UӤKk%/V5vud
Ư#ʘ@Z�:5
|Sfg_h'c�2`F
b'Hkwnk;6\d6S.O*jsqon
B}iuwQ6>N�
wo
yQ!ig!u;
I7
�ASXFNe
OP8%J昬nPSy[�m:1
! (x'On{e{8:('KW
xwv׆1W29i7SuE:ܩn\=e7Qi]WPLJ
6s
-onx^ lH|@)&Uo
pH9q #mϕȹ~-
FCHux0e]]
ѽFçダ>�c*$
GUgLS5.
RkhVv
S[(0�v
̟fpIWRި ddV
)DW^g
U!idll:a�&5q94RyٞT^6
{ECdlrCBK憈@V`8̟}<5WpKߡ<m3 T=#>@zo}o1?"|mg9wר1
qp0~,\D2^xrr(RUlD B-2AFFO ]o`^
x>aϋ[XW
(z\vnިV|EKnL
Pcd--Le[ظ- k
wRn wNix��RL@e
;t3o0
aFP7T#
Ϲ)$7cV ,n9wzO
~4Ph;vB<.h'oc峍Q/֨X,Rv4ToSZ6&N"sL``ڲHr'Xpjp
Mp�Aldc娘)-rcO
bghK84 R&7ߵ1?w1AmR
m{D=~{;z(x{q>1*5)r*v_χ
Fu<6!{ K{2 wzɤXCqmqB=L}b#;g_F] s
k^YqWz~Y4'SlJ#7-θl- ]S7, ՚xX
rEt,:tzJ"1&' {ikQGA`0w4ifThi:37%(
H
zW."}xa76D0UgyhMuNMfӎRZx3QXhBD"[mwCf+O)#}*A<V0i/?~<@\s+ V
"V^UH2d;D
C58;7}ݭ>iGG 7j~GӅ#IwgOPȊlw OW>xD5wB$d
U*UFejcn+gLֺi0 qäTS;
\m/n�;A.Wٛ>
*|o&!ĦO]UWg!868j 39Ӗu?<OwZ
MݽS;M0PW9EN3<nO:�>uةb~<ߗ.SG|4Za
<6/ɠ-ޏ]ׇSFjЁkL b|
`]Z{Ҭ
)-e%=& v֡$dyO$
5[¸(D;9@
Umey5I+8"۩IQ7ykmV,�K[kƯ!iD譇!
|i!m;,IJp60v�"ׇ>LnN
|e-8_gL}&:SX4 /&gr*;䕭U
?p&ۙLGgמ$#f[,/b&LRD`ۓt_1S�A'L;6#-2D[4\@~0(HneeWOwx
c
N QZp
Σh*&ppP .ٰ8oE*S®GoStsXɂZb
koBn? >IA'd(㚇7&4[Q<.da+
3A 8UO,C9$~
?Պ~\(ҔI5g"|q
^o'M٭]9
c͚19nՖ>[oHѬ߯CfMtw
ۤVWwxgaL/8[ʲ:o|뫋6Ka:n:S^+n;sKЋD
D[߾`z
rjmIY/�Fgj"HhRgQ3;0RW4u+]w=G'H2ol
:hKdpqu<
7OHp
џAM8
_1A$@MԎ
0 qWYއϺקpAY 륿~%\=AK$*^/Qv:)\/7APt{bZ3ǁ4Dac6 =:[ROhmX
LR+)b�(\@T2:2fc]T
LmFu__܆?`{
#?%VdFGhq@$W5xrXR09N':$.o(>j~b1.h*)Rpvck
R=[l->
h2ᠢ*UnM%=I]cѷEdr!V#g H'=SՄG
�KVRDgʻQVٵW-|"N! /_J(
`:z2"1 ~DF*`@L
k̇
xBӖ7
ABƶxR
'0=͗#6jvaeŻ+lgJVZp
JIG#[kSh*C0A!!n
A<9:>;848@$ͫ'�>;"!
Μ2T8:t(6jY](N MDUvH56
%Qʕ_
4tSi�9
䁫HRR~* vUΞ~-Y
oΒ>vZp~d= RDW?J4;.I
H
>3ڦʨ,xEs2hҦ61ÐIy9c�
hjl43
x??Fə)OUX6ф>bPWt
P
fp
*7
O8,
#_C:\^N9,Axp0ʦ߇ljq
ί\"V܍qCjATD6
t`:E‹0}qYs@ǃUBԂUک{0wxG94'9ׄ}'ޜ*YE
wN..h#B$N%=
X,jLvQߒor1{h^
:$H1MvZ}
1-64j'ȧ
~
P7>NR"uquӛ`L
¸3UMNHll$tu
nJ|[x
, |(?i~ԋzkՉJ5
;1
'cH#*tZ;ƅ@DR1b
o_�Vh \jR
-Vo1II1.Mq
'$2|vSZ)-L$k3kH-x֒T©Nw:Faoj:8СBdXQ{ny ɷkzK
TlrnQ( Yziwٝ>;Ķi˅V!A
+cK٭ 죑
�CA_vbKoZY<Ff9
=
c[b^GM;~
m
Q4; sINֽpSdybnPy5;
{*
dGّIG{KZTXzHr;XUu>x^z
TEbt.Glq>r8bHj0f@"Pd?"EUk-Ngw
~
Tu(n酨 n4�yB ;[aW'щE|2
Rq0Cn/8#[l>s@Ŷae˵|ߍ53LKMc̝
`l2>'lmԗ@)=Y�QmN)TC&ʫ94k
`ybw
σe�>,Y"ugy;¯z2BAs2R
ݨ ^W2D_s>EZ轼SYNK
ns#LL@euffف.eֺ:1[9+L~?7
]EmmLkk).'Eb2úx
L;Xoۯe m7lK#Za
/VKˊX,F\+#%k; ;Z̒*-wr
Č$<NA:�G>,ruFbE`wn+(݆/pMKԻ
�Ļf~)~]\T3$[ӹgSE{
93k3l3ݺ&B0g<[-
B|LV\
H-PJHf?&cw"⑶k˪s!u:m% FS\ɩhY3t=5+1gDZC:1yaUH46Cɳ3Kj]9l2'nlr
X~eDӜe6A|
lCȌ#TOq쒰z!A-l>
2).M(RU+8>lv_s%x4+Je?՛v[M$rh+sh+w-jcՌ
:\&]8Ļ
U
kh
n
;^�hi<àpN
گ
FkID
�xud:8{Qv䏹[4ߔ
R/ЭmYn,GX'p
k4~
:!T
.,3o{yZ=Ws8 {Ki
i+U)k{@
Kb&%ssvXrWxW�ߺt0FapbꗲK枹t>y
m>SxQ
bPhN{z?Ub#פ6f`t"]7ejb [<Ŏo-LZ&
~;
}(ݲYZ1HX;
)V
2ʣØjR8cH
.{DFVO)j='8^ 7:crHGv
?r2/. Ng~1Hnå5u�z&bRr!P
#XC]oOeJ{#s|47n%vQ\jXo
Y]*x;<fᓭڟ0\ .T
osfM:Iը
mu $c]|;46
2d (&
NWrh
(RXYbt0pdpxxm*~<
Z�C5̌jbfY^cBj-fQb͉9l
GV+F2䍎fb"}S/D<Oޥ*t (b!
դ\'^io^q7LT
T6
m_
ĨiΧ`!62N�
yh&8zlIQoӃ7n^+넪)RXzꔮWOњ
'%yj` W;S9H$lX\6M|n _As�@z NcQ芸1e[u;1$
GNb950xd恷v <:[
"c¦-8|H
x[/=xRN-D );-<|\|
_5zX-I̓^a-]�x
XBN%%a84kgȳ$>drp$DA&?U<l؇"Z8;z+Jo庁Gȍw3Wj^[p|{auibI2zJ-PkE/(3<:n@
"53he[_kQ+Se91
yҡMtD_Ikvu%ytگJE?
.]o,0M&(b
d-^K2fjaZXZJ١`ԱĔ٪Jbő}xz:]ݭc]f
T4!` eن)a<4C
d][e2
n
xy-x_ʹS]˂a߹i1.Tsy*Y`A
v Jr[DE=~KQjHJ5)sR;Mq`\oդbw1
ǶrXo
; uˢ`fӎ(nZ'K:^w>d?ws2s(hVCl1И>h0u[ª
�SoS^pJғ|! E-TZ':Lgk L?x_:-x7jp0s(
ekBjp Q2ɁD l7GHj#櫮eiq
a~`[p]oh;8 D
EƷ�7
ΒNkΞ1ُsڔդbxG@@`H/ l]pxgGAp6jE\AjI "..}eMz,}deRlv?j7t\}K^_mL1i~Bg[;RwDj*|Ċ9
݇
z>6~P66jLݠh�ħ-y
uSAwZڟhTY}
PN8j3>tq}1phyV+B"Tz;!8
�IcU&ҬJn8y
Z
0
~JЅYau�5
-
Rl);5۸Rٯ/fHCrAj_CwuEn8(]\
E
߇Ap#_4)H}nɗĔ$jar;Jd
GZʥz
CX݉r<?Ԉ;9]-m R?0*̤Qm5
Aᇷsl�@z3ݔ:)U4~�:k9RЩ1u(
^_prF/Z|骅"`@`1R,\CG
{( aUΚ%2TxzK^ꍡesp0Av6f-r>00U/˧En2l(,WFR3fܓMI\I)ĮDqDH2YX A Bw
l �_@#Ù#h)ӎz
C5x͝zɇ\#j:H3-5zm}yeTzN%P7f
e@3ZP':]N߹8F]Б%q!PR-GD\} 9@e#Zf8vo7jL1'qeNEή$z)EvK }Z
V
^mg
/0深I,:qic͢%0u
^|+*zয়*k/KpPx
T'`FNA.Sbz?z?g9X8M2P뷃 qD6-
= _y/^e:1
aXje 0TN2AF2
e.Sϑ7ӌ?:}bE( �. 5Ɍ؍NwaLʫ
L/[S8G-ᒶ$Ag
wP[ZJ2d+ZF3n2MyeB݇e;jE>tBd>pS_.+6eɥרs4e2}Z!X
emg֠˴
a\
}v~۵ΣA}�xp0KDw4}V )
n$i@ޖEc9<+V^Fq4yR `}dU&p{Tk�/s>B2W%|
{$찛=l3XU |U9d.ev
pd%D/6['�Hӛ-sz'Yd^瓿 Ьy@^HWjnشgJ8.(Q3 SGE%[xKػn~ddEmK
MK4
1`@>:xVs$Ax7g%V#iI=.t<DoZJ#cj0yRTjnf|ĠYnc+ڰPw^.kѥޢy]5\SM�e yq0@@<::2)x�h+cÒr-;NL7| Gp% K@;u`qĥ
~6FiI<(j\g"U5E8X^ΤVr?\^EBUA
�HQTiWeb1mU۶e-1Ww!⋼[eW;0;z:'kYġ �?$tdxX8uxՏ
V͑f49WgMV7
95{Dxa
/9dStF
Ea
TA�0_>8*2gL�ln÷|IKc_ !jt =UBV
yAFgiI=O<l3
_>Wp
1J'm:Mc|0{J`h
REqɥ3
"K
ܿ1_i|A>Ť
k
jvV;Nʵu-
V/#:C|!DTpvAg٘U_KӦd
sDQ^fޟJp\2wb$*dF2Ѡ` 㕯^drjoO%Aړl۶Ix6#+aݖF
}
?`ͩR(g1ƻ=6l'N%W2#sY\!i
> 5k-$1'�<J =YlS8<lW8G߁FZ@
-]wX3/3 _S;(�yPs?8&Wkjʾtw
U5tI%PVNO[+HTCQ
MR+B`R'g
V
lDjz59m'fݒB
Мc
k!4Qv
p4:"Cw {aZ'We]
!E
9lO7]⳺\zӶX-ZL
]~A/ Or@vs1ծ"Ht;iN;ŘL6*,jڭQ
}.f0N2pNvajtYМ4@<dW\`
^w;dK܁=o
Ӷ0v+ zu@?A�
s60(> K ެʌ7Ih=7
1q9
rZTs[:|DZ|הWwR6
vc*}0
;$#|tjO7ǃtgl4RZD_ݢ
r}Jl۸
I/l)+MŹ?>B+O
9
##:N'm7/1R@/JoINVnz
r^ߑ~ixU^@a35]3
]E
ߞlJHI*Ss?SH ~G(> "S
?l:�X
?hܮe/Z=Oۤ%]k7/ v9;7皇
@ >o^o/ vqaI
Ҏ B+{
R9oշ]r<
XՊ&3gřIH72/||EPcMȈ9]֕HHO
yzC<
]NE[-JUr6;ÓgIʭWZJ&ܚpjlƐGKZ=N[h>$=² E9U,}ɟT:d?0DžRi Sa};NK۬o=8T kP8Z-"/PToV ͞,eIKS!0%C
ŋ
%<PgIRXY2BDC.
`n
2CKi%ky*][UeݚUxed^U0n8%sV`ז_,h&ջ~7WA>S4pYZ,!%K,Fj4F o[+>_D=*#ZDFeCa;N_;f3K8m/OYza!]\AnO370m@ozauW%K@=n1Ȑ
*
Z
nV5Oks@kP5 Tn&ۂ/ yZ8'Bi?~c<l'ZUuӈ/=paGKq7>O#;dV0G; caE5vӑS !o
iE᜴^I'}hrm%Ԓ
iR$};dnO^ko&{V8bU(n]*~l˵868mP{\H3&F~ؤ
ߞUQ
oFBȍHd.
&חo4.lW:Uvt
KK 2
q
s~+zח`ϝx"F)b29MMw4Y|D nX@5o:صJߩ}:2l[?=$�H8veGe `3)0v
aWn=͵ilqk$U)(rZ웢;<X=$'!hN%{$<*2hh`5%0qعQfR'\ʹCY!ZDžI|逈0[D]wIg<cBU\֮VH
Q2
ҚVDz!ۿCxV1'=�wA J-P^N$'ZS?p@5
ct{ʬ4P)^2noi`<3V@MuSk>:Q
svɑc)XkhNOV4*}#{9́�UkŪ/}4($?E)m8ۇ
=k5^FD; -ZL'} i*S>DH
go4Q]<Rk4N3#�oG_>aXۍh} 9Q.A\֧]8(<*X
t(DPO=ޑp=�Ly
y{rnjS,K+u+*T�
ʎ ɡnHȝ
69e
1B<
hz;\�M%.|>SPRhP
oQ C
2KV&݂^*@RBd\=/RyYJ ֟Q7Rju�
W㴲rőm4@
'e
fQkSv$l7oST"1v/]E^k8BߪdD4�,�
;v[,j`6O0]vP{҃
c/ڗ+&wg
2,uqEv%cUg\M/g&zg!m~y'8[je$
PTWjl6Q'>|KD1;~ ("-ZqG O̓KRr){G~gobR-Ο~$Ѐ,#,$Y;$]bSumtA>\N Q]ER_n..yAL7ETwk<W#̯XkCx{^VM*K:s v#<ބznFwnegpN(2#2
Z5m+b
BMMx[t5fBko6
@H9Au5:%HRheZohޚ<CjEϟ_L8mz
UԜ煭]Seh#
9mdjdn^HqΔ.7q9:)
8%
#_'8,(=5jچLvu<YƩ]i$xJaL8
Nl>l+΄6V
Wv2C9;Ա6$
"ۍ,bsmi:ccde5%BUKNޮ$סX!Em8g\uye~S'�I LY(D_b,&r b4B}=ژC__P&2Rqkʩ7dYvC60횟bw,+
y{{GmZ;U]ͤtY(f<T
^2Sr#7
z]:ЪemXߵBܜGVy0͜a|GMBUtRz1ZxR0ʄLAS W}Xa4 9�gt:#x
k
H.
8m(
6?g�o<=ED (xZ_":o=q]K{|ܵU+vr%S7tOb[8
.RL"l#
^;Ш(]٬cw~S{>x+>oJġM*#
O r ji:=X V4|7?~
,\c
}zW~;|R�{8{BP`]UycK1jΞ2UM/t=CJrD:�8HofY)O+kM6ҙۚ?MCLi G
#id
^iYm"�-x` VXt%m]VxXȹ%g
,;
(u*x3p}MpP ͢2^ت
]+r6j6qܫgOۗB6N+ iW[{Aʪx냋J,a<e^n=[r]\'iЌk{x
=/8-ۭ]+bjyS|ljvj#85ElȘ.e@3Nǻuk{pڣMV%$Aj0 =z
]^Kw&51M6a(~gل4Q!]U`?~n[@KwR�lOe&Q}Jyߤ1RhO͋&G_n6asf2{|
g6+%LfYSvT[{rh'=#)1>0ѾX鈔92;.h@9PgĶcN.ٲgw?)PWP8gw?|hږ%zA〧1l-WጸX[N8�zG
*_C\gV _?>șJ o9# xf`?ٌB5(YImT
ՠ?hRΗ;-hF},i) >U«!$:_X:-U,
^=֥e
#
eO,y
Ι'dQ;<)t
\DNhS^X(-
;5*ݿ7"}i=N7T(W;RFS f{8 Au)m51T?
iyjF4f/$$T_TB
/-Z>z)'q1OeJ5/+g(z!>_
֖A'_y6z
6ԏ>G
kmϡe.K5lVA/�`/fHekOuکcWBmcb
�tq9Hԛ[K|.Zr
#|)
l@.+3Ν8�4{=T1wfB{W+3W-?e5e\wM7~
cJ2*
;jw%փvtzwS!DK
nэDml
hA<U
|M뇨HR
[ %�O 8KaHBWn[|IUzH{߱J<O${}߭ΒUtX&L H \q֩hZa^1fHi
"
`>(cw9˘X,v
Tln9j
W)V/|S�m5%:cׂO}[p^bfmc~n
9!L^
sѵ#srp2
K̳śվԷ<m-O_gZsy;C
(n~x־{ӼHK1 ~YWY
zQ
.|(@M~τ@?/Rw WEw+__T,WвuFA/)[6+R/ߘq,Sߎ-a<!Xb\`t`vOɉ:T*gkn
۞CsTyK[ڟn}|"<dq
dN})ޔ fEw2e5k1tE!v@"Fk6v\W
^l
nj˥܃?AI'qS!.uk
QOުSnV/eXTQ
l
0yR,W7a{ 8S
Dp;ѧa-D_�7s
~MUnpPXD:4�V7H;UX| o^y*pu;[
M y:mNə}*V8I>{Qn픒9WwL-C
݊\8(Zz)l4mǧdlxvPl
|
,1Trդ믨-SS0xSP>EZWg/uAA6h'
?Hr7~Y}尟#ts8ɟ
[xGZ1MݿrS7&<=aLn
TVz ߮|
;zapnrSxV[ҊKmU2EگTvє
j@6ΚxĹtpջWn0ɞss|{,;dcc;Sa2烍{0|p 13Z2i
DAc;$/[2iF?Lٽ#ъ�ή|ci*Vk
,]Zl1Q&(
$7MI~,"\$XR9K %~SZp
kX?&(�MV,a .&%1Nq#.$ac"<-gt#vijpbqb3p6^i
[zu[aM{,c'n.pzEjs%}L%e#[],N9mkgi`&#%PT] ~DGXnC=~&.Y-X5eq
#t,rqTXOYkvg@'[:24EIDBtvNlYHs0ēu;
gAGt3xiԵŠ
Ӌ
c^fP
Zq
{J=a>0bk¸ X
u2�1ܕx
�@В�ܣtM۠c;.5
~v.d
DMNW| Dy~[t:vg@d5|PˉNsuS|?I#sOdGmno.9g|1%}5RsLJo?CsZBu.{|Aۗ?sk9nt ټ}v9
ln/osyp
.kknq䔭ѯX;2We=ṕ6@}6\˥4
q&۹
ۑ)}~У];L1I 4o#Uoas qHRz�/u:$N &f`ꀻ{
+`5-C?
w&l?㸛ͭG-(f
jY☝4VH<0q`Z9vy<vIwE5跤,@PLJ+1G
Xӝp`M㰵FF"fĂ#pFY߯;H6/nrUiA�
Nhx
zzѼء-yw&~}^&RON"$nlF0&}9dNm!tJ䝱1Z]*7&6 z%˅MlNSP,5mI ]b &IȏH*
D!`[( hY
[1(мP @}6z1z
HŖUl-TyP\X
sjMcKsQa
7bӬ v'0R's)TSpUAs^]Í|~G
6
cYz:X`>nd{#$u6]f!G
ZLNGvt? Tduf.=ҾN
?݃ӭdvHf,W<%my
SLT{\~Lwǹ%a~5Ey7{V
Fz-jn_8JAF}
Gli(qqΆg_
$U船5
ZlݬcDm I-a&? P@Ir}*zb$F
#sD�4!:@2I[Ьp;M+ީK+SKܵp'^,
�'{fúBs[
oqͮ<&0.
oT/Վy^J5FRw g>6F:5j9#c't;[SFtEEBOmx)8fvq C%=ݭ>dlA%dWHRs(ZP7
a7⾏lZ.;A}s
r#Mͥd
S'48iz3֘r
2~ZI(\!Wv` Q[C,S1*=씖%lJr)߸y$VeknSs9CRa\Z
:h5Y8 *XHAUbu,?
0"+|8bV`<
o͆Y-K#15L2.[Nsd=>O ڜG!6GcͮȒP3ʩkf5`zY?c!)tǦd.,;[KH4_U)<*\f_{-;bݿQP."TjIK|eϐbՕԍv+s 4Q\G6#hDMUDۥk
fK#<u=MD+t,t68W
0�[-ØK(d9ז��
տͷf6
Uފ4V1;3`$e'
*ToOgnW@Q{d
&Y[l_w0R nt2-`yB+r9@(Zppa\FChT
c0^M~JǍ,?Ȑ
zwWe9@
D.
r'wDs)
sp,*ZJ >
q
v]jtf-Ot#|ݯ՞_!a
qmz%C2
t:yKK|;[~5^P[`/؈QaRB{wNC*|k@
]B~nT{mh|�NAJ9Z.wF=�0z哞�
uH$(xB4|6İ|w1G0.;B Wыmⰿ֙*>>тV^ї2a+Gg
F|e
5ۼYGd>]
s%ҿ7k
x< ~#Q316Fb<><b` 7~9ٰ )3"ċW7
=
93*ijX2]{$}d
OaځP0
a,fKsyiO]4r
2xNmIppӣ?Ԃ #O,WwL]ͽMWXGD¦A
ݑA9ϲs+'`& aNk!U
D֠YK/oC/ZG韬
і
y*EvNnack.r|#lXvζ`4k]&W S@pϊ<]ctn˝˭�6j^&Glr+C\9R!)fü
+ߡ.L|NvsDm,Q >Ƒ7X"7FVqo?Y;C]
V ")F[(KNIJ([Ƿy*_=j(YIrX)UiqRIdoo"n\*
kh$Mylu[56qK
{>vg]r3yps9L
֨'P%9k�:MhwҮhGj1%
G=PQ
(3uh�
v[KWNyH1 &bM#APh%w8%
RgX
x"U
-�Fuߜ
eIZf
Ѷ(
t ,,+e|R. ݹq݊4 (XV�WMUB˗a{�2>\
5#Þ~ū#6MMTL\+jV)W
Jiւe*LMn;ucK
0ABE6# <y\U.χU�h7ey2
?& ůjl[}lc�AveG?. o߽͘opzbPŠY=eUa܅]կ5-'P^�(?;AW$D-ۑf,
RU@
5n9=Yl+xi3|bR㪺Zb(uP|{ne
D<i$
zQ<Zr_̹k <1L��)S%J7>�gC&
`?,
az�q-<]cgru
s2][ށmwM^ѥ05oiғK w1
)>-Ibrȍ)'Ux"[e�+Cݴ"fKͧ+
nA6jo`vdâ,+يI;fIs`&lA{/{NOsZ
,}j
=
aHՐ`(lcKϪP@)<$QX1 gg?z<6P0E]2a+g
?+_U
cnjjPdTCg$
^c,CdSƟ+7n
}[p9N(>;˒C@gn*ߊ_c,[6Eml5Fg+ot}cދ,
nH6kݥLDW[/Xt7f +GEY,T'__{&?FK6m�@x?
ysx._]홏htk�2sܦ^Ank'a=鉃<?T*pRNMvb'KZa#9(ͨ
9G\(K-3BMLc5`ǜzƩ
gM2o]0P ;'U
-9o1
==͘g:{
_pUL,|EϞka @84VJ-fs;02:a.z
uFjMcOlqLE[tT />qtU{R!-Rh"3
%*`T}Ȁ[ʔի淞M
ck�ag~87K8X}Rе9玝
q-ux}hq@f[]ڙuR䪶Ł;?
41[h1nST=&u^xT�'q<�vx"
9Wbew\ce?~|({wxL8Z*9iS{Rhɻ؏_Iԟw0-`ŧ|
.2*9
^:8iڼ])q@]
߶v_ͦ
"8eTUpZ_
!Ow3-̃|"
@L-ޑ,>f톍 Cqwsg 2C Th\#!
`Vt&'vQsP(MUZzy7uKR_NG"LߑWh+yCȚ|KS]6A(;}bKCo%& |c0~"ҜpKY;YL fra5xмsRb
}e�{S^l=[Kբ[Y\*x;tfi,M(ϐap_>gN
C
y$Ac-k vC]v)
(=F
M>yqspW6z|uv3>ABWZMa6y+v\7^!
-xHw
8[2LH5;/Ʈ L&HQ gi7_g_}
蠜?3xs=+
-n722<'
O
T JD&Pt q0wU{Rdm+7~}XdUނuS2`Z=>
~<beV>MOQh@VC5_AdK>U .6ɏ;7U[Մ2KK@ \.wKC+W}-!|jw�x+>fg�8y{[|7erx
~`X/
s�$b\�M
H xk-Q|wn62\!Oݽmg#?UbV|pJ㑾\4()@
�e00/ؗˣv*:d]ATSRԬeJ�$ӂBXCYK
yI
)h\}> 2`f @.@Xc�"Mz@oDό?ҿŞ/n3┟葈|dZ6W
UaoPrɧmV{Vꖔ1iJ
v+]M-sâBoA$hK{/f4-#vCӞX
ޝsLkjP!4O=MLc+_u̔v;f`
bPOBToE;q2qo"(
t*K?Y5L24-Xxl3TYQEĢ{8?2Eug(M1 SQqOo
U感d)5[MxpcU
bh@3
A &G"`.˵U][G)`IэW_;'�}L
ҹ `5p\uPC!n
D]B%\}EPWy=z?ꉤnى=
)Ƒx&ef,<O7Gī;Χe i"^GW/~;yngj@D*݃}Z4_;TW1KA_"4njlyJ(Orb`^m*np%f/t2kM%2ǯ
4ɡ}J@
vց
ꗇ0g'ܹ;]flUcwQc
Ʉ�G~2ږ2O
YrTV8aokv{[&ڋ~w/G=Wg9](WoK.dҳ8v
</;qc|=\_KقKAO]]mhFgUh,w|sn~$ιXsn�&*Ħ/=%i\I*BI
**.
VKb5ST5Vx%
bJ{t*יNI!MmP�PVFl=!#T5
|sT
$
7ʏ`b8xQÖjb!ǫj,M
˥+B{l]9ޯv7FVC^;$=RDY8
ޅR̮|4(jڇ/(TAF=Ja8o|W3j/yd-mM7R
˭ROZEATNSY:a ŢE-WT�LKh5-
u5e@`lVE&
mRr*/rBpQ|l}x\g.5n;H)O!.
MU3tCI§U%hLOec۰6+
Z< eA�3F˘\ !ȷ
eŇjjdV7'Uoe}
Њbn\kİ&ܜ',1(.XPHjį膃jJ
0(F8 TUڔywӭGZi.8FmZe
4><Gm.
w T6$
zÁl4Xnvb7M
e{@QN^"h
Bwd
^$+xF-
X9
%.lbΓΟ{#|:_9fB#2ڹ&xn
[ɿ{sqeF5<e_G [c#!T5(@b
ђZ+
`~}Pf7xh7`+1W9X~- _?44nL
>ŀug8]t3M%/Yy%G
+6 8꿲kGx}
P��V
lﻬ{]E!4yڍsݣC
!73g/y{�ډX*gِ#6̠V_}9]PTNn9.HAU/!/&è(re\.�h
^~5'EZٿќf5vν*DOu*҇(1Ig0M,pĶWvp#l-Of雿Υ<j$.P}_N+rRM@m|{u(&
}9$U"0:3%)×{UlOΪ Yݼ!\M'*>
\h#ioM ;o�9l'"k
B7ھt=0Yx&9j:؆`w3d
fK
<<M`N;*s>dBĢ
[O+Ʃ\$[=;ǔ4cwλ<鳏S!?%%uGb|_~3RSGnh0̽p:Zʈii$ڜKۢZG#WE1{,zcl>X+1toV9_֨ü.QkR
mq,ac1P7r96Mٌj;ë
�\P50z>]//%٬Eg+6NKk¬g+jIV
ߖmvZZ<8]L5?8JŒ6-;}F(p
bc4KR2$5K
VttUr?dd6kř(+CO!1
6cC36ĴChl̯vxgBI}e
a O˙䖙_晥,Qy=-vgX�
bkwtX
,j+=/֞DG<XcڵhL_[
ֻ6\U|Hi
TyXUi1ZXW\Zs,hBNOLiq
*n_
SBzxr\%No0�[íy̌l]bE݀n1{t@إDVY-;>ϾT(zpd8I<|<n翙2|�}ƴQf nnUČЉ į6#,n4G7[APYQEJ/vat0k# ʻ"@aH;$<&T# W
2TBZ/ wW֩!u�kx2t%Jo>.dA-`h-J́
w+e|q4v4Gϸs'-Wi%Ey\YWXP*ÛXy!zQ&Ɨ*9<"`
($䢶BSobR'S<;uk?H0 B5T]l4VןG-GDn-8,rޓn\kA7lIAMC2@7w9= .Pt55.
nG#ZWLsWi#IP{
a$X:m Ѹ>^Qĩ"grUQSx1ёZ
v vP3ZCѡ-o8I5
h<LY+"G+eS(+NRDٰܑ,DI<4XlYI\[M%$x_'
]<`_95]S'\.oU֨GN�벵=/wҕr-z
J*1e+")u^̌�zB2Qˈ1$@83Z`nّ/
ՂG'\
TZ~B�)DfcJD~bdJ^Q"Vģw
`4�pQj|JPBUWEWٿjNUZ̥UNO|̂kh6&SLӽy?_55uٸ1Ԝ
568<,%Aq*Q@+ +TowA�Sɵy2GJ=蟒wcT
ʳLUqW@ #/iTiz ʟY
7O�n
3dVoL1G1檧Jh[Y1zFRpGڐ` Asz堆l.c*HDJAd鯷GG
S(]o}Koz̠=G=hl19j.jO\oA9U
Y)|lSXG
kW??JioSV
/|b̳DGY]jJ6nSk.<寘'k`,5woom/Q(Vt[�募tE z͓ ,Qpܲ'
h>%cWa
@s(
V
z.
/i"GiƱyZ8
(>
[4z&`zBટ)f嫠74t<t99Y5l1l'
z
\0{
8U�5'mZTjGOW20TkądZ,
?�N
һZphZ=
:Q]N-Ri>HW4$b~[[g
/,6Yi}�{1*ֱQIyGգwc.ZQjUlEZ˧fKދˈ
3rG}}D4cy+o,#Zo4#
@M4پ:v
?P$c|
ѹ%G@OeB}
LD
^
Osڡj^I?E1ʓtpДd%ψy'wT!|-.l
@.7bB%Hl1D-cLdo :%VÁ`-+å
EFư {$n?t?]?ݭ7m'%M[azO^oӆ/Ӂ?/!S!_i
�$Tmf#zs- h ײζh7
�`P"
wY/˅e%YΕ�6fNOK$hH[
Rp@R
>
%
l:
<80?Ē_yo)Kt?=""rQU7YLm%2JDFB!!|z2.l[VIu~J|Ѻ~>v`@g)\ewet֦#JrrH9+z5'1�;{$>:1Y
x
1ݖ*)fͅ3gHgM.ԉӱ{ s4FjȢ9lKc#̇f#EW+ٷ,/< ;?8gϲu-OW>M"QQo)[xėF&B|wXޫ(M!
7|]C%"wɚ@!
J/
^GtjrR<u
}ԪγEwTiɡ^=~TLJkL.Nv\2H+^{w.<c HεzP3k(67=v{4ޘEzn
cҒ7)f]D5рt.0=Z9~-ޡLDr5Pɑy|+
$Q!)9/}kJZ^ﰧ'^3m.a1&R
-
^g\ioI5!|5@5yۘoX[q8h7TĀެZpFWaxW?X(^
ԝIaY_Ews
T;5\><OAVEϼp_qwa4nV^
AF\12Ð},D
ĝ
ܴ[ʯ\#bYk)mHB5Lc(wAIX/?Jkf:u*)%HrC'=;߇ިX �Xu13�MaeE
1 F Kcz۶VHkK=ÂJmWh4vy=>BӒN%-2+Ҩ2[D({r}oq\ħOh
_1紇ʥE
0og'=2C
'wu-
c{N\h
%_rx\vp܀?OCh^4áPȧ@]!Yb/7;R@[?ӧ^@/S`z
:̼YN*Tar8ĤGו)2Nⶏg@#`eo `?_N>
)v8D;Sj@�[uU1K>|@
�/m&٨IJ�Wzϔ;G)eb(Gu Z]O0I<sM
IpI3l2.r[Q'!}iJrzwϑش§4h8t
q%+�{Y
WCZ)_U3qxA2pcY' ; Cn->O^ 6!cj
dAݺ7l*h>-0`*"}xQrd0W5M/I[9E:O8}rCԬrcBbW|zl=YRdBO5?ͷ [QpD \I@Eh.}d2߸q[Qh=^#*ץv-kM|U*Xt ,RC
^:~Wh.
6C(q4HCﳅiOkVi*kpFUD@cJEKo~0S;sUŹ{I
:J]c\JbT/8&piBf/Zy3$Y4`5(ɇK@3
nyϺF@X BWMEIb=J sc}$|MӜ
-h0cV=
U7mݲ}Q
O/> K}mֲ-|9FO̶(CxRs
>3(=Z.N9!El
92Fׄ#x%/Y2
'3(־1IVc0UX8ַANt`Քg-!#R1dŒ[m~kԫo.=^�{
i.}#L&@8{(sSkQf_[֔XX,K,ҙQ뮪]*. eFm@KsHܷ967i+D')N2N\f%+
AZ6yfO0l!e.MEgY8tHCq(
d@t%r{CH%A>99244`(yq
V
+5?@GM̡
cu>t/
:
M8JkG|w"pTƨ
q"n7bIiR�i@<{]~Y
꒯Oh;
6\/[ BD67Cufe"eHKނ
'
*ʏy#D}D<;K$<87z>NA%{\>�
_%y:.quc֒P{-�}
c['I"LIn-QާpN/d!8R6;@3vL,
\OktEւK+:˥vSC;'\j
D[
t%zBKڊpJfEٴo� O}86
Nv�
>��R���0�9kwXi
Bv
k)B
ER
ʿ���{Ӿ"
x@4� UWS>Jl7SHw]"!
M.pqBrcq[����uzHPwfL" 0G@<@@8ԁ聼ֻ$ ;&.�a.z9/'t*3G(">
F
*?l4DGȇ#PQ
7il3Pt{plH^'jz3Z1f؈cqLRJ|[XQiΘH$/f1`\1#rr!R'1,ߍ8q/ρC߯!D$5~"f!$#,?шC'|
szCc.=)\t
N:k3œS"u Ó
щ^N< ԃ/p#Dwh0̴~<go'oRuz9vPoyʯ7y/#T6[iD eOp^mW%es0UBD?K"9Ȁv &mS:M #] !:p?�N:|}>ZIbmQxbƛMjT0&Oi!<](}r.54ҬŘ
F黿,vruHmNXM8<y3nM\o9*Pdoh})m5ip<cE~v(ҫ, i�{~6Ёesh ؖ0pRcF9aNj8V:yYy%/ne/< Q3gC^;$v҇)N'#?LVfXl^O:kIh%#3*Ô?w[{ƭ
#*Um8m7a]Vr߶24\4
X"O3El>sε\|6Q
_/ `썥7XX3"dD. ҿWc@@]q^˹{g)A mj:!M�l{~
#ao
d-d
Cr ɩl녘sX4+Oձ>ȐA8bN-�ڋw
W<ϲiob
_IMiK&b$+
`'kt@2qkx Qk#/KOQF#raɖx;f9JI@Vzp$;�9<Q$
X*.<eOtA3A֏PP?1O
~OzU|IX퍇ʹ
b6l;N:`RGG܈ e5yy
>)ZI1
7yyf7Pw
2o0>pO/u|nDw-#lrўVBt:+hc
76zXx
l.[3d3He$2d
rv{ lg+,WӭJЎP,@٣Rq( ^m<
Rr/~d߹ {z_^wgkz
b(YNLwSB5E[
ײN AVu#l."U7c_ul6'ARs(S,0eO,Y8Z3m&o}4@^R*
ƀxo<_!d
yB7u -?B&
pLr1H1xTuI
-o!*&+7ȭV;M3u{ꠍlB8h&2d1m1xʋ&SK
3
[.7=\(>̍=/hޏq
֯8ROL"=ƍ#/p&j;IZ<Sky[l.vuM~qI?S};;OMB/v/љ =Q~ERt1^%6
~/p�7tуckiYG7a92hkt09w@Yj.~5_�S/B*
RHPNѻCѷ
SM~7BEDdۄ'ձjTMF^).WjJRП7rLwd"k�3dB8۳̛aꝼ+)^:| 4AX[b8ҷ99qT{85e;WM
2ǵqn9%P*x 'R{OfH6fvy2b5+G)<!`{UTu!^MU}|Qf]/h/[
}f`<;.yw
mт/a.Bv`Ԍ/ޥoz8k`寔9 *}NokhexWH/?Phzk"*
ti
Ki
1L
%HI��m*3
\
xf+rWm9 G=^6 i:maΥ7r/s~"EZ}li>8Я|еOR
U3g5oƲ /ln@
w
;O"x"
U<.9
S1V.cs5]-[ٴW}+b)ư1
K/'=0o�ݞ7]-5)73TdzH')ן+?: apyj̴v!J
H~ꐹ!s?=zTT~]
u3\/L=cFwJ?�vɮiڠ.=~=lo6E/ m[ NMO2?ߚLo5{.}sU_a
Ͼ?4_m}
H<?UAnoq28H/
..a-YWd+0)).''BHHIFvFECNAV@xn4>]Wrb_} `Jݟv[SoiT癙flIV=oS#c}|xz4
Y'G~4b2+)dD)<g߿E͝$xSP FD
v7oz\>1è@o%~GgmObQ
:?VL>�#/ֿ{]Rcl[?Y`gkӾ
XGnR<{.>xĂNZN{p˯k;frm$ԏB@Qe_.Of RBpǫ}S=^M4'Msd�hlM+s-xEy}
pr2 qGCdON6
yR*^�
VCM+? "|p,sp|�#X<sfi
:f<-pa,̥6^>G:IRdG!7?蛅hg9Hfad I+"47qL
cA#)%mmN~w"0
#&قE($g
ZV@KB\xf0Nĭ?AHc{XL4
Cy Qj8e00`nhvXWE=F[`7کgA3H-hKͳ�o"jSPpXT,}1^:ss%'_4Yox
21p?V/^n
y'Q
C�3p
9<
*nU)Ѝ3g69fvw$O`F:OiK][eZ:|i [ﮐ\
vWȍr9C Y:=#mF@)A(=#֭oZ7!%Wkj~
X\4.fNIySv_UV#A#)c.ƺڕ9
oГoZ?
D.f^,�y~>]
ӫ{u$Udx5dn*Kwe{BsPxy^1d~F?r{'ջ)ԑGb!j4^p M'\TQV
s["xKuȂ]EhaKvTCEm,iPW).
zT$ro%Ugpy('nZ=Ff$RȲ$V.'6Sa_s؎ʠs15 aT <`+/ϤSQ%]VeP`7m
^}>'1YTBj~&^WEv>+l)MO}o^Y
|lQDV YCPcկ^epw
~NJGw`de;<
T?~&ralBaw[l81uH)+GHl3vF<~Ͷ$ }K'JϾ|e_ !p܆ΙzE2%K6dpލ=Bo%Ijƫ
6ԝ-٣mQEwC9ęSCH
S
Ӥ]|G5nM^zT/E%\1jqAz7!C˳z?
'Ne:omXrcI'JGGY^2]
~ ,vd=ȧh jXf} 6m j|
˲}.3@B`+×cVp,;";OUL74о ZmGkI!.b@-g*鋸v+qq,|{S �σbY6uɔM
pxYĊ FрNWϘ6$՝/U%Ye'7(̻ON@zۑ
۱
۱
۱
۱
۱zOQ1+&P 8n@@C_'{?Qz}~գZ`\MU C5iD[bɼMz_5@
C
ҫ
Y?!N
߀oZDZ;CiThp:3K$Q
7
oA8n='i +LMmEg>6!kV'T͑a5f_VǓD{ XS�&\M.,`U^Y~f- yF@ewF!qЄ]4 V,|"a,W] e#
ua֛u5p
#s
h̪ucEnʸ6ܗ:Ì*.ljhܶ&u͎"CC@
EDc;H!8tͰ4lR
M͜Ş>gR|eί4]Xʕc7@(Y#";>cX
WJ|YGq}
DJIJBD
iC+LL°+'^F6F?p==
biBmU }UFfw86hx+VXGUF1=v/9kVnhy,+FZ*6|;;vжv
`q0DM
!9
~2V
˅ef1yL>mX
1=
"K6`fܨu{E@\ܨ͎9c~ۮ�}biQan�I1�]C0A&U+dvc
c[͆8 & ״Ma3k2ۅ
c|QCA\ɣ*;8Vǹӻs
%H=aA0S
{2HCQMbSutƞw
mss
nOp!Q.
%KsZa+u2v
ɂ]wӆʉ2(C-8 =Ǟ8A *
]1N(]'abT�Lȧ1ez%X&ݪr93bҔ
8e
%I^.P!9I/ɓ46SRy
险n
4Џ8 V"
$)c`
fq�mbpD
:*v-Ͳ<:-
1
(x:iR:ޜ
GYod.F-OA8ظ%iRw5Avӡ~yc@EiwRG넶BZ*F>R-:x73Ps~AX'jwa 6<&e|K[
K}GbkhXYOVS<ʩ8
TM;�v~\ؙdޢT]Gϐ<T kH7o-3e:)쀿 AF_ysr: V\W|SBI$D\.
"dLXkmfq8Ye(j08`Q$eW[Vٚoi2Cז'iHN9Ҭ^$/Ԅ:
e[Tj+&Vnl{�" ke
Uû1/C^sou2)TsӜe`k iWs!3:@%-nr#%3k(Pq5Ő7v|:+RiDFcl6%>0v(xͫ3|XG*ᙑS8imcv,*nq
z
Qi8Fo|W.ӺЦ
N[i
6-فn[#38xWe9Y&.v
K֑rlxfN̨
GjmΝzϥ!ihfk4_?Nڴ8NpV?}L2Q}x6+x~mvzHQ
0C`Uӆ
Q
\
T
8H->\�2rU$#҅ȼȈ1+;=)o֣T\\҈5oFo:!Pܐ;6γĴgInp5]7
QГv
TJih)9Z ;+M0C>k&94|SvwfbZ
6�Ʉ 2pG*4X
PƮ
hܣsAhvWee|ar0nODV7j胏`
'RmTwu)xZr ⦡yr/7smʭlyL63Y"^Ay,VR]b$>!.&jkoN眶80Epiu,xªbdse}kpsrhj!2B.z\5
p0D[H= i9`#<6.c9 Fwa9~NFhT]p""(&nB
zX{z�DJ *REbU*ŇGQ:ɟg0Z:eZ5^#ZD."S͉&M!f:/=?Tى%9vތm=;z'Ƣ֕7Rx}&s?C
%-vZ22
WX0G8a{,*`W-KÉ
#Zh
Kq#dT y[
TO
8vO<Z
Ub>d(M.3%%"^h ܹ
ӾOދHK<4,ÉmO-[Gs~P5#5f@gkL
(`)
8Ss8!|͐
] F
x|
+[�@3bXlֻv q:�W(h�D-&Eh7\zON0k\hT3@Z^{V"/ $)'kpd7\~iAjYҿq:+҄Y{잤?x'&Ո*vN.m~m(;}6#4q*NU
.tS8$1c+D%C
uۭ땒8=1-*GMiL߶<g9IZӄ'ay.:a*H!C1B:UKG�;SN줺"`(D
1V$:aNO z�%eeVsmlj8YUS@Bd):M4#
f
Ztdrs2$-Bj)&VqF,
p2mŪE
/tLK%o8+#4
M
wGHIA4ϯ`|b dj-Y\
$\:"eK r77jfto.WU8v1@T,U
ufunD-Gr1[
C.p옪ڮ kbTML[d
.
S,Ʌ
}.i;Wo2p=M/L,K;gg-A6PuTZ
vqE
m6_iS&pVĂ73]rNh^#).f$cvմa3>qnu%hg=<eN>-u#8"^H"z1#Ճöƪ8gfsthDlqNC[%O'C364sJ3е
@XjNMȠ
$pKӸ$j!* &nvMëzX )H
ʅ:x0F
bR@clGK xr=*,՞L
"a/D?a!58@$"ehK
W_]W~xfkw]n|ju{|3
ԁ1\4md;
Hpy
Ή9gռ@
Wuv$
V
貆*|5pKNKOf`4]uFJ]
Ӓ
s44.Թo3;
ЈD9[IKy|t~
^z]T~XiC´JLDŽK!;R58C|V֘.&ҥQntf?AD\Pj ՛=#J
6UIq}pXKr{=~:Lq|dch'Pw97T>
V|ej9lt
o+M
;
=S"<uC&J ob ũ=a
rS
zC;V_%<CR@V
D6t\[4*#}=ۼaHJyUvx(ťڄ~}"m-r:PX!N]Em
[PjBjx
H2LUw_:
aIU�fey
Ip٭u[(vĺGS/
iFZ9%y =
BPU}zd
xn96|;Jm
E6hdtU)R%YRBV|YC
>}-6Eufnin1~e=*n跀iwEA/1Y{>=ĊoQVn5:SEڎEG̀Q)ÔkOZ$WhnБ/.
y0fHUxfP)a蘟0d`Fi
*7@Ӟ?7 8
g0jɷŹmv`&;ݜ"OeL@
]=p
ȹmn7FjgCpX,sEw#jl0<,z.Pr"xypr8'SF6
7pqL*^;>NA%Fn#
!+ w^
5$T/ZcQ_
` [">/C5
=~R;4S؉H8ٌN]ø+spPIӉ"q)fId �x
"ՌAs\TN3j0,[5bEm;,
!3KwiaK^Zd9zFQF.kɼ<#IJu~*EU;y zwW0v+\oN6bhnxn$
|JOS
%Lzj:I`\s]5BW�KsuX{{{W}/i$XRr:7{r$s
8xƏ˗)nҚ:tVv<w}@"<ɶԏы3kuz%'enT7t
q8"aѢ1㺜g;6MB!
-@9!6bS} ػ2ϱ
.ME⾥'5I̓"xaͲ̡
x
q)\}tju?
WL~%ѵoxa"'C2įq/e1bI`ƽ4=2*<홪'GYp{Wǜ?uP/4n%=绉jXD!]oϑ:
~:-}t[34,U3Zq,%!QJ煭&WJEQjbJ/uêB:Gpw:]]KD!hY?QF<Zмsݪ`K
#jyKPmr^hWxIKΊVct7k})6莍ܜ
׀d
h
�
F2"O۵MҕpEۊNϮVFQ(9
/Ad<X|^Na=9B"@eʕ
QjV 4n
eF
G0yUeNLvl
TLmTkhn8Gqڢdlʾy\]扥Фaߪl|
<
Qb
Pʴ4"D i_w:O|!4GO~
ڌ]1;6q3T�lg6
ǒS:#EdCMsޝ(WFfܺ
NL&핦
_mtX8r
ev7###-]P#ÖleΓYͤb{{xM%
R'`S(lȯ%
`ds S#E
0z4
!!8
h/
ݦD
\yTFI;Z:f
XTJ3~g
_
Op,-lNO$
9CoW
Y5M"q/Th6'<UbYE
,5pƯĤZx1n'y8C2_$&=_edBz
*!f<KmDУ1ù.#KbQq_D6ȉ&g0@
utx\e1\Mm@.$54xHX
Wv}*
?
rR]9Mް9.Ojc,Q\k&_u"iPXgT۟5HQ~kl)
Ŏ={�Hw>,Ep<J
Lkrl`nw=
Yi`u~^h~
NA|u(4)
%D+ Rûq-K1}xFh{&(5T&`!R6.-[أf$y>#r%>ȉGR{\Y&ydL9'>t
Y`Wo$'DHm?
!qZ#
XvxÍT`z-5(8Z"H<p
rxp
4IU
9dKpܬV]XTX|c`M
k A+>pS;y>rd <5|PF8Øl
'Q UD拾i
ݡF Ci!yZgI!BD1/T=@1B7,*
8Y" cdA2B9%c۬;uVN5 6K !Phr{Tbma.$P
V%}
hX
D
DZa9m˱)u)}103䊎`iIk+~#WqQ
i{-,XCqU*W\*|st@PeC`)53Θr(m,4С# [l Y�Y0Ou.
E-ww
kN4ԥPK]#]"I!qh_x?-Nũ@aJ!֣rBNަ
dHa;+>D՟_z#__-u(Y�ַ^ '*
V)p}
3da�IH
t
6XɝPJ"5TFҩ)Jxbt(kUgA�_S+AAxur
7Ho{6
:)φ$ $7U&^d1*WVyNUǞ!a@(S,ͬZ06j]UKAu
-_Oclotfž -$JCy3x Еt<G;
87ˀc
%ޏ
#)ns1̀C`"(YJdZ
!xxbDZ0H]DMB5/dׇn
Z�%2Fa@DK_,
&
D
4
g
X0LUGvA,P Q!)kj
!(܉ÃE
fq4QnrZR֔yYPN\Mw F8#ԈsVoC&"7
fhlRÜSp㠘N
m,Nύ�ψQ)'
"jvd;\<I\"a8H8Jye-/ukF/2
#6jY�,' t G
,T!,o
Pp;fu2|5nڽB%K9{vEYkk&,A+[:%<;ȏPR
DPU[hLkp;#sFA5<xgy
&6Vݜ!K &XuUO
.
= $
o(py*k).gqj<@
ݶ.ـM溞P;_bܼ=K'?
$V8RًVS%۔xs\I*B'Sf
"z HA
NF56M
ʵri
lJЅ{^6jX Z7vfhݭAw<'[AERڶJ8+ulwX{T*Ff-
q<í5[ϯ5'pz"G8жU@zzBGID}Yvq
b
y�_23r|nr8z)z٩N�~X;sG
we;xgy|GK<ˤ0P2 %Vx`,mD
H`kUKF],cQ
qRL�-
<+ Ly/-\.sv
Th&ͤ|(
qVXT<:t-#$S!B@Usc+ׇ1>j
!PM ȼ
Cͨx9qD`PMA ?àH't?/ \cE;.zܣK
6p`
Qt중'!a
NuH xxK#c4&$D]�&pfXx2t Tބl51jgY)P1X57
I
A
oQY
@ɂLI&>1>G糚,K+~^֞.BdNmQAWk6IAW g
5
\M7dF\.&m,S
O)=ҋ[%9钀aŲ
XFnmsԺ3y6LYreL\gR$MTT
yGi
=Lv&GO]pOX N|WՎU
]cK{ښgkͨ>ȘN*iR3[8?QIpZUr}pȜM4L3eZ%Y1
pXZoXO<)T
gT4kE\JK6T+ ʥ#1v&A!$"~{Ch}~OABs
( 6
' Al1 <MQ[ *b ɩӲ"V15#g_;j㵒"Wj|R/<mt'#_ zeOx=/ x_)} &<! /#ҳz|W< IuOwsT{-v x\FZ
^
?.wӤ
J&S8]�I+{]G!h'VR5dyqj:A ii
soutR
><̑'t`љ&n.j;`?~{MЂKMrN<G k̇<i4[Gq{
d(wn'^Jl_c�;@fw6+$n«5WaC2S1XG
Ip*
֤:=M")&J#_PT2ǼqbÙ?_ ~"XR=U}$opgV-fi?!_SzdF{[~[ܪQ(şa$nt6
k\8حPӿzX P٦\T#donuz/5}ڔ4eXcU v,D;/ܧ=լG7*3U#L5Ŧ"Z9Ɍ:M
7YbNz[?l{xHZX{rOoOQ
f|w/
[Lߎt ^zg3D
[k
jbwᝣ
`oH"2I~x62.7CCA
?
+N z@lܗa[M7GX [>rY|<z _oG.ߟt ߱h2}CS_.7 5Yvz45Z=um 3gQnբ8<Os^3@Cs_a%߮3HfI}Jv !>mg
QX
��XLU~�`> 5I'zPFJ3UŚ֊d1VU "ⶼ\ioM/
x9t6Ǧx=w6^xw$53UFffWW�4c=U}8gQ
�p5*
*|(1Ε
W~*
~TQ/IҰ8
䩔~'Jm
7+r$q
tLZ7=YmͰotѱ@X}{ٵ;]= _k]�hhv2/s93rA^trϵp[@7)UPq^pSA0LQ$��E3:
&C%+祇 qɝ jZc>=<"J(rGH,VpƲ&
u
@OW_܊x*=A
չī,6*9P<éj~&
Êxl2?V
Y掇R!kTf
e7>+ʳU/dnyI "#jLp? ְXwn+*
V"FH
Dqh[-ؠI
G!,I zc4ccE$ʏb%1BRlj`.VA1u
#MQD
V kg,Qut^?
wP
?RG7rJ/DpVUG"q_յ[C:!+Ř?wk[<4ڡ6_e}P=?ߏ99L2&_ 9Zɩ n;U{<֬c|G}zU[Cqi<"B`a+/#n(eE"T3V>|<yWmKΉr
L<;
4FʯEa&҈[*(y/Cߊ6K&
[w89~Wqd_tl}D2tqf3}/ ؋2m*f 穝
bX3=.YT#=;[[7S_ug!)UIɃ1Dfz>/މЃMZ!zj/_:c8J,Ͱ;CC
̐wPi"Eﺚ-T
}l�3mtNW&͗ȍ
"x nbǩ@"]#j
T
sB
܊da
+&Y;4>IcWIY=0= ,=g^1LW3o̬U<bDZ>3_1j
Y U{Sb
&tq\^C
X]vuP
,
nPüp>ϕ2
bxc/x*Eݮ&ƏՁEbwh=3ڙo; ޘcA+*w:溤d}#
NJޙ;xR
@
ƀ_:S9q{8;oҩ4S쏹g$}?|
CEXdg3<hWM
Ηxd6#
iW9?
_Ŕ^DB
WVuW&X,b:;:vS/5<GD&Zg"Ih"6K!qe*"OKWJCk[mq~GLDXL*okKWl
zM?*?CbxIXv7cucI"O}Hz\X+2߿&L{^S⒖X SLbN!
t<=ӼDW7HR7
x]~z""o53 T3�^%3W*ͼʑUGgyǒkN\tbani~vBK6=av]
+"GTZ�fzrgԳ2JrqP j9>Dy&L a� a0&L 0aL& a0&LQ�:sK䆥i0ˮ}k7.FEC xoR.y)Ť2e{<AճnOtr['F
t uW-ʓt6
A
ݡ9cx
!y*CrE
?GIURX:q&eQ
-6GNuf4u.
轋Q<)C'yp<j.yiy0f_BG0h;�3uW !sAVX!<foc[z9Qȿd8rޯ*Xgs^\ښqz:92;ԭ53W/P`NmѮo&F:
Ef_+N4
h&q"U<)'ot:c{@gB̙U X
+
C
'xwEfDBT;=D(9uH+nM,<ȯi\xXݑ{uXI<^272h9=?sg vb/8Nn~,U.< #_QʫhU2cT|Ƒci_
XҗVOG7?/)6I=2=xtf$/JNl=φC ]}6GEwrUT!K a
sR
�O
gBjdw
th'\O�9'3"
j̠`H3N
FX!o˗kc0XMg;~|4&
>s,r4Q/,2IkY\OSX?dI M&u
&1eDzVn
kU&'
(ﲟS
az|
Wn3bnNX][oEz~TOC?k;
fyU\O4}?iPwc�
<t}
?/
,"VOӦrPO]qKOE\e dg&
S,&<WO
g<Sg`uEu,ї0q$O5~w%Lz
JgEi wb4OmWVXM
};C8۹+uM?ދCVCq){#i
:?`V
<-%jk{
CQbIv1
-jLym ~lǺtnVg
ܬ8 s߳}E|S~
WJ-|:ݶ7]+3ɿ/;bImբ/sf+SiG֨a{_g߿s~~?=ib6{Tn4
\k9}p7w&(UmB
As%J>6uk"(=+Zg9aw֧ʜ{,_kc?
ؕߨxϾpNuxU@b"V5(Y)
w|iU'=kLq>ww|3qf{bX_ܔ-cyU{)<{#v~Lq=@qLlKE5_ۈ
$%`Ͻ~Z
,
o;,wϹtł
?N2_αcL!FhCn }<>cSs<o
O
w. w}J7],UGc)/Vܹ<{)KwC 0aL& az
\:zOևTZEB̥*'7
鹾J/Q۷xA
n?|%5)W[Q,N�+Q{!k,z"`t@_ʞ"`t]zҊo ķ~
~ns>a�G[cSEf1To+㾞8d
Wa"�!Χ)\<ؑS߈DtRR~�~S(i@IpBz`=L0\Ȏv
z�@S#̬_BESM[{MЎ =n#SmXT 0B9 0[{"nS^!vG
=2"d좩@\qzډ=䮝#UcmBO:QCp
.ݣ.0Wk`?�Hx]e½d�r~
�ܩz#@qzgM�S{(|)
8Q:G@H_�@ ^D&EMq=8 =UE!qCx
ztRP 8Q=Ex;'@8{
#n[T
:Bԏu'OvB݊HSN
PŵNC',n$QG`_CI f`
|m:*Hu~t5߰'vT ]�2")DT`-Zzl![9s6Q
?VmrtN:
e:{ɰ̭c;l&ZKUCo1T[h mWG.նv
g}ہ:x
8u
v xu;
x<ZCCZJ^S]OS99�n
vP
`Tfj?@:`\uX
os7טv[ N<f+V0
kb2(13l=Gķ,6n-p,D
_ wp
$Y\sa+:G3
춅3яCmW #^:l
3@
N
6SgESؾ
�x-by[v2800\}PD/gC0\mGA"
4R
dhb~}gp#cG91^CEt0 =:TٍB6
kt+(Y|Q#nX*{=G¦kv~Z?5ŗ;YI]͊~={Bw<z?ć#*Y
y
z+;$�g K9_?~?:cӟۅ:/LD6Oq:tXt=
jhGXW1UC]=-,{2'
'?#˂Þ
z7q
:"Տ; ^.(vz!fC.G06[NAH?t3
Eژv=>$.F^:=kܣz0";L0N
mS3iмsO Ċ:?Ԯ[
?:AbT?|tp*Eo4圻ml-xQ)nN~=
[H:^
bW.I
=
!~Z\Zδhl
xvi_
oZ:ڸ?
=lG-LP4H=$;.:2Ip�#1kY|/ck#U
~l8--OxO稄\ KTĠGӷ܇C2l.*>ُn=
ϯM\Oy1TF+ƥ;n
uySv}4ba@PmONH ho#āUs}E|#(:#hGr=2؍ZoF蛕#
<v'�A
8OQ:
;S`
jЂ"bMꪉ
BIj"MրDl6ȸI
e5QAV(6IZ\PBdKE
')Kq&ـWpB`j8")Z8YKƤo3Wx`QHT}%Rxd\BIT&kPl &XTR`k""MTX`4W"k"MBdFKu" ѽz8#}tCQ6Pfd\B
l 2.!60Pd\C$N,;2. ˖%Dlk
K?l
eMB%DoaJ
" nщBI:5qA
&IA
JBI=5AqY
&#[`p~h D6 6I'.!2%mQA[(6k.!2%o>HIzE5qA
&l/@qm�
.(!2$r$5A(Q\ s
"Ptd\BKJ78\"XºF.!2%u&
씨.Fs KO@uD.{Ds .
.!2捞(%*/7D/Ip
C$Aq
a.xZBܢPs
ȗ0nxA%(Q$qs[
FԇKI$
s*
Cz t[�VD8\
Ka 7K bnAE(Q$rD=/.DD%{3
2.!qɭ|
Cɍ.(!25HA(Q _
sGsj
*(%P:?H{ 0&L z|CmU㸇m,%
T۵*혍qk{jk~ տHms=jX
ewɞ?*7brJKAv{`ˏZ
18dahG-_VȢ6LjX|\
ဇc;r"jЏߔ>e&'Σv}bG6BDhF i-߷6Q2FoeO;UC$庁,-$
_!fVdsTnY
]f|켩@A|]FXVdyD%2쫐+{[U<JZI%C9㲒[#
TL"HZ
~"`
]
..Z6YmTTs8fKY (ȵQ-AMqs%:&R| m$
%ݏ$GvU(f BDeRҏ瞬I5}Ղn|}2TVU'q!1y5[M/s
[ՓS0Xe%jy͒VJ
4ŏ,◍
sZW*vT1 hа*^3jV' YXv$Ƒt<xїƵJq}�<iԏ&"M~fI&ޖZ1Y_H--%tK
)S$.zV1".T_V 4-s}D4{
eqCYMzѝcjj`zMIK
I(b)ך:Q+gi
(-
I
مce
JhnZn #|
Cܮ߱4/A[_Z=Ro=`
eryl̏ա;p5!3ih>?͖]Gdܯ
ę(1LcPf4,֊}'VHQM3
!]lF[̃
לV35܆AZ5m#4<
ʾ3�hmY%ikF$kf0Kff6#5Hwc(ivP4S!R9 $>�w*2د
5omF4Vk&[oif8b5
-WguD4k,Qſ&ʨ{ܥoffPzF5m2]jd#yocuIG=%.žAR
ut뭵f?{Cրg,6`c(ϔذǍ<־b_[{zc}KK6>6anF+&0Ԧ")f'HUf{ 1G3`# 'WֵBU/-6'߉iyz8V�M{rZ
dJ!Oo鷑;<2
>qmܷR{%}#r
'7`<Vf4o.PӉ%oo=<
76(o\(cuĥF[;CKzQ$qSA~=O&cmXZ!xHav2wc9R!w[I,IMRo_L:a
J\Ή8GL"oG;} m�
ɷg+J30RpLI~
z
KL!d}3K!)i'>YD4(i
/Z"uib-{*C)-C33_ڒ\c&2ĸ[Lә
//L[oP}pu[/Lb7�2+23Me
1<S>5a[(Onwbjo9,,Oɴds'�
/N�"3b8
UK5D܈Za,k
Hlk7*ؠ $7%wc8U/+S5CSBm&>R2L+0\[*ظ PCC[%W!SVK=g+ kTS.O
㶥� j`iڄZPw]QlS$*xbV?j0*_P41
t6�}jWDNP5dTuVMT6~
|Y
KVK@
hϼŽa^a檩2&f </6b䢘6vsvvIf2' Cy;JF>
x&ۺ{v�lln&Fmmnk-B܆A6lF؛Hp
[j�[7EL^#AHT5R8{#E^HAXHek8)FuR�5q{j@u1ȪtNhb=Cݥ1.[e!m+FU^hΆ-h܆k|ٍ+{آm
FQ
{dR05vFAHj
,ֶ`s `5R
u)Ezآm
ƽFvH)#E^%
8^7H
[jآmHxE۰X
,1l6
F"`jzE)XFTjz#^HR5]RkԆ-aAV
_37k�k
$44
Linh-f
X6H4D
t9lhZ%z#Q)A:d m
xgtZ =@fk'CswDFpF@*8-Z7`=5Et�Aix`
pEiKfe<<Y7G$^[Gr@U@;H8Z-pց
�:V
*-k{moR(@7k
&�1,b+ǝ6%ȉVdF5
e##Q5U"A}_ ԀiNhږFPzk%e@%�:U8!!Ɗ;$`ꢝI,1;C\#a="Jxf@PT/e<;hQ^ F$
2NX˲$JGF!&Q;ȱĸ�7$SGh'/
d,Dl�jEH
Dm^Z
#1;(ILh
u#D~aw
>J, Q
boؠ\-7qZZ6GDW7`
ڭUjQ;ZK+
gQio nl
B6n
{f1(h^Wb%ơG8tYqZ*PIj6XM5hЊ01ǂo=!wdd
bȉ J
VŋXz#XA
PX#ח/5Du#*6(BRV ԧ@2%ib3j_x0vJ@pGWZN +
Ғ
hj jpyz"=+[uy`ypV=a~
GDH\$ke;/+
D2Hwv=iX~[(ep(\lCf讍&aF2T/�=#ɽ3p#AזD(c
aQ
E4u IAC fh6& #d{nrDӿ]
`{qL\aE(9FԖb)' �
,:�JPQG L*2ԑdHq#j0k
pbonLP$S
7
j5¶%E\Ppe �uM��'1���_)*Z$iRQ\c*Jdbomo_sLplqq
Xc[M�3�g4�gpw˕Kw
Q$mN&'
r46t7cKd:s]F<Q����
o$"
z!KEX?yOVbNqKYĖ%O-/l7xJξ^<EW8
,(L~9{ N
U&ʡ<rʲЎ>'gQe7zr2P ūj`o\Uj+0Qp&(`u|KS B#'nm9%
2ݝɡb5:ÍXlNEcWBe(J[*q۪H=ٕUHWgG_*9-"rė+:Ѕ7·
\N8M qjHcrKCl0:SOqN!@ݙ=щ|.;$-FAc0X{ %C<Djgɿ'&m ~GǛ>6[MVjh`6I`:N<)f
_*
uݣ$/hnuı
k#*vNXlwT2
h}^$Z~
A`W|72͞;&FCN̯(=o3>HޝX;<u߽.Fl@@>@
n;#;_k82,m
v08;Ŵs0ȗtrPǖkRm
hY%lF%ZSjԄk1ՌTđC=PUQ
VyG"fxiFp0heq1Өǚ8tZSm##
Evbikpy.xH[WޑnlHu3tBxt0xgֻef||Ƭȧ`ӧ4x@G{K #g5ٜ
~M$6cn8-cL!ƚ[6G}"Ψ)YՠoumzFdzOHjL R]uNy&_CGI<U6˺58؎+k
4w c<#8{eO]rdb&3^_])w5
k_H
B
٦}1mS'Wl%2@nPus5f)
YNafIt ((ȳc!P[R
F @M*S
`
_Q
i(L0HфblO@E &TzMA
QE
nQRh#
=G.5-cړx&afӾEEǥFn'AKqT)iMV9lek)g+1Dk4$|R
4i)><adOn
RYCZNwR9
c
[2ҏK
%)B$x) 5\)@ȎSˬ># vR:rMS\K
נ
W!GOJʐ>
J:u8Hfk
7]ᙕ:Էύ.Ǝ̅gGpL97
CHYru_4((q'Z
gfGDBZTDŠ,
lf j_
[N%/SB,tm\iSB6>g
e @`F
ZO*
,O,-.`}!!g,d>KVH#_$mafG@�W'Hר,2|ݨk2O`
G|2}e7pID/z|uײh[
][,@'>ꢚt.C}rTym9 r\Y0
+ N
:{hzɨDn18}qt}鱼ӰoMuzr!}Y(s_,b~g'q41oG^`7N./ HW_
JИ(
.VOn1WR7;
z}⯗UbTǸ]R<!J{zn/_J4\YNñl6^7
&
sH,oz
4yFAU{]gu/u*۱o#B БXqEܸO5^|f=c$*!7or6?5Uo}ř2&:ƟCe[g}}kiQaοS
^=sdVq^rS8'mE8Fn����������������������������������������������������������������� ������(���V
�����J
��������������������������'������b�����������������������X
����������