Re: Request Format: CMC vs. PKCS10

[Andy]

one difference is that CMC is required when requesting key archival. Key
archival can not be requested using pKCS10.

"Susieber" <Susi...@discussions.microsoft.com> wrote in message
news:F692B7AE-4F37-40AF...@microsoft.com...
> Using W2K3 Certificate Services, I am having a hard time finding
> information
> about how to choose the correct request format. The IIS CA user interface
> requires that you select one or the other when creating a cert request -
> CMC
> or PKCS10. Is it true that you can only choose CMC on an enterprise CA
> (and
> you cannot choose CMC on a standalone/external CA)? Do you have to choose
> PKCS10 on a standalone CA?
>
> What led me to this question: We set up a Web SSO scenario in our lab
> using
> an external Microsoft CA, and created the certs using CMC format. But the
> Federation Server Proxy could never get authorization to communicate with
> the
> Federation Server (it failed on a 401.2 accessing the FS URL). When we
> changed our certificates to using the PKCS10 Request Format (and other
> modifications, like using MIcrosfot RSA SChannel Cryptographic Provider
> over
> Microsoft Enhanced Cryptographic Provider v1.0), the communication worked.
>
> If anyone can point me to some docs on the difference between the two
> formats and when to select one over the other, I'd be very grateful.
>
> TIA,
> Susie

[Haitao Li]

Both Enterprise CA and standalone CA can accept both formats. You choose the
format based on what you want to put into the request. I couldn't find a
good page comparing the formats, but the following gives you some idea on
what is supported in each format:
http://msdn2.microsoft.com/en-us/library/aa379338.aspx

Or read RFCs of PKCS10 and CMC.

Haitao Li

<Andy> wrote in message news:OEQUs6iH...@TK2MSFTNGP02.phx.gbl...

[Susieber]

Thank you, both Haitao and Andy.