Microsoft CA can now issue certificates signed by Quantum-Resistant ECDSA Algorithm: Part 3 - Submitting CSR to CA
Article in the Series
This article is part of a series. The other articles are:
- Microsoft CA can now issue certificates signed by Quantum-Resistant ECDSA Algorithm: Part 1 - Installing ADCS
- Microsoft CA can now issue certificates signed by Quantum-Resistant ECDSA Algorithm: Part 2 - Configure CA to select a custom Crypto Provider
- Microsoft CA can now issue certificates signed by Quantum-Resistant ECDSA Algorithm: Part 4 - Issuing certificate signed by with custom Crypto Provider
- Microsoft CA can now issue certificates signed by Quantum-Resistant ECDSA Algorithm: Bonus Part - Are signatures ECDSA compliant?
Introduction
Recall in Part 2, we learnt the configuration steps and how CA can select pQCee Cryptographic Provider. At this point, CA will rely on pQCee Cryptographic Provider to provide the SPP layer with ECDSA as the signing algorithm for any signing operations.
In part 3, I will show how to submit a Certificate Signing Request (CSR) as a client to the CA server. The submission of CSR is done through the CA Web Enrollment role which was installed and configured in Part 1 and Part 2.
The requested certificate, which will be signed and issued by the CA server (demonstrated in Part 4), will be signed through pQCee Cryptographic Provider.
Submitting a Certificate Signing Request (CSR) to the CA (as a client)
This section demonstrates the submission of a CSR (as a client) on the Windows Server to the CA by using the CA Web Enrollment role. This is one of the methods to submit a CSR.
After installing and configuring CA Web Enrollment, open Microsoft Edge Browser and search for "http://<CA_Server_Name_or_IP>/certsrv" and replace <CA_Server_Name_or_IP> with the actual name or IP address of your CA server.
Click "Request a certificate" and then choose "submit an advanced certificate request".
Paste your CSR into the "Saved Request" box and click "Submit >".
You have now submitted a CSR (as a client) on the Windows Server to the CA by using the CA Web Enrollment role.
Conclusion
In Part 3, we learnt the steps to submit a CSR as a client on the Windows Server to the CA by using the CA Web Enrollment role.
At this point, there is a pending CSR that has yet to be approved by the CA server's administrator. Upon approving the CSR, the certificate will be signed through the cryptographic provider that CA has selected to use, which in this series is pQCee Cryptographic Provider. The digital signature on the signed certificate will be quantum resistant as the certificate is signed by ECDSA as the signing algorithm with an additional SPP layer.
The next part of the series covers how to approve the CSR and issue the signed certificate as an administrator of the CA server.
Author
Cher Yue Yang
Yue Yang is an intern in pQCee. He marvels at how the cybersecurity landscape is shifting to a post-quantum era in the near future. He is excited to be part of the post-quantum movement before he begins his Computer Science degree.