The first step in creating a user certificate is to find a CA and retrieve information from it. The second step is to find a key generation server and retrieve information from it. The third step is to determine the certificates attributes and extensions using the information from the previous two steps and user input.
Find the CA by calling NPKIFindOrganizationalCA. Then call these accessor functions:
Only servers holding a writeable partition that contains the user's object can create certificates for the user. Call NPKIFindKeyGenServersForUser to find a server that holds this partition. After a successful return, you can use the following accessor functions:
Determine the certificate attributes and extensions, then create the user certificate by calling NPKICreateUserCertificate.
For a sample implementation of this task, see CreateUserCert.