Installing and Upgrading Certificate Templates

Applies To: Windows Server 2008

Recall that when you install an enterprise certification authority (CA), you must be logged on as a user who is a member of the Enterprise Admins group. This is because certificate templates, along with other required public key infrastructure (PKI) elements, are installed in Active Directory® Domain Services (AD DS) in the Configuration naming context. The following figure shows the specific containers installed in AD DS.

Certificate templates are installed in AD DS when an enterprise CA is installed, and any required additions or changes to templates are performed when an enterprise CA is upgraded or when the first CA of a new Windows version is installed in a forest that contains templates.

Installation Requirements

CAs support certificate templates as follows:

  • CAs installed on computers running Windows Server® 2008 Enterprise and Windows Server 2008 Datacenter support version 1, version 2, and version 3 templates.

  • CAs installed on computers running Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition support version 1 and version 2 templates.

  • CAs installed on computers running Windows Server 2008 Standard and Windows Server 2003 Standard Edition support only version 1 templates.

  • Certificates based on version 2 or version 3 templates can only be issued by an enterprise CA and require an Active Directory environment based on Windows Server 2003 or higher.

  • A Microsoft Windows® 2000 Server domain must be upgraded to the Windows Server 2003 schema to support certain features of the enterprise CA, including version 2 or later certificate templates, delta CRLs, and key archival and recovery. A Windows Server 2008–based CA or a Windows Server 2003–based CA installed with a Windows 2000 Server–based schema can use only version 1 certificate templates and will lack the other advanced features described previously. For more information about version 1, version 2, and version 3 certificate templates, see Certificate Templates Overview.

Upgrading a CA to Windows Server 2008

For comprehensive information about upgrading a Certificate Services infrastructure, see the Active Directory Certificate Services Upgrade and Migration Guide (https://go.microsoft.com/fwlink/?LinkId=116454). This guide provides an overview of the upgrade requirements and illustrates the considerations and specific steps for certificate templates.

The following table illustrates the supported upgrade paths for CAs from earlier versions of Windows to Windows Server 2008. The table applies to both 32-bit versions and 64-bit versions. Upgrades from 32-bit versions to 64-bit versions are not supported.

Windows version Upgrade to Windows Server 2008

Windows 2000 Server

No; not supported

Windows Server 2003 Standard Edition with Service Pack 1 (SP1), Windows Server 2003 Standard Edition with Service Pack 2 (SP2), or Windows Server 2003 R2 Standard Edition

Standard and Enterprise Editions

Windows Server 2003 Enterprise Edition with SP1, Windows Server 2003 Enterprise Edition with SP2, or Windows Server 2003 R2 Enterprise Edition

Enterprise Edition

Windows Server 2003 Datacenter Edition

Datacenter Edition

The 64-bit versions of Windows Server 2003

No; not supported

Upgrading Certificate Templates from Windows Server 2003 to Windows Server 2008

Windows Server 2008 includes two new Active Directory templates: Kerberos Authentication and OCSP Response Signing. For more information about these templates, see Certificate Templates Overview.

When you install a new Windows Server 2008–based CA in a forest that already contains an enterprise CA of an earlier Windows version, the installation of new Active Directory objects is performed as part of the CA installation process. However, when upgrading an existing Windows Server 2003–based CA to Windows Server 2008, the installation of new Active Directory templates must be performed as a separate step, after the CA upgrade.

To upgrade Active Directory templates after upgrading a CA to Windows Server 2008

  1. Log on to a computer running Windows Server 2008 with a user account that is a member of the Enterprise Admins group.

  2. Open the Certificate Templates snap-in (certtmpl.msc).

  3. When prompted to write new certificate templates, click OK.

The user performing these updates should be a member of the Enterprise Admins group to have full control of the following Active Directory objects and containers:

  • CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain container

  • Certificate template objects in the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain container

  • Container objects within the CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain container

Note

Permissions on these containers are not inherited from permissions on higher-level containers; for example, the access control list (ACL) on certificate template objects is not inherited from the container.

To verify that the upgrade to Windows Server 2008 was successful

  1. Open the Certificate Templates snap-in.

  2. Confirm that there are two new certificate templates: Kerberos Authentication and OCSP Response Signing.

Upgrading Certificate Templates from Windows 2000 Server to Windows Server 2003

When you install a Windows Server 2003–based CA into an Active Directory domain with a Windows Server 2003 schema, the current certificate templates are updated during the installation or upgrade process. The update modifies default settings for the Windows 2000 Server version 1 certificate templates. When installing a Windows Server 2003 Enterprise Edition–based CA, version 2 certificate templates are also installed.

The upgrade process of an enterprise CA must be performed by an administrator who is a member of the forest root Domain Admins group and the Enterprise Admins group. This is because the upgrade makes modifications to the Configuration naming context in Active Directory. Specifically, the administrator performing the upgrade must have the following permissions through group memberships (these are the default permissions):

  • Full Control permissions on the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain

  • Full Control permissions on the following container: CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain

  • Full Control permissions for each certificate template object in the following container: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain

Note

Delegation over the Certificate Templates container will have no effect on individual certificate templates. In other words, the ACL on certificate templates is not inherited from the ACL on the container.

Perform the following procedure after the upgrade for a CA to Windows Server 2003 or the installation of a new Windows Server 2003–based CA on the network.

To upgrade certificate templates after upgrading a CA to Windows Server 2003

  1. Upgrade Active Directory to the Windows Server 2003 schema.

Important

After the Active Directory schema has been upgraded to Windows Server 2003, the schema will also be able to support any Windows Server 2008 AD CS features, including version 3 certificate templates.

  1. Log on to a Windows Server 2003 Enterprise Edition-based CA as a member of the forest root Domain Admins group and the Enterprise Admins group.

  2. Open the Certificate Templates snap-in.

Note

Alternatively, the Certificate Templates snap-in can be run from a Windows XP Professional–based computer with the Windows Server 2003 Administration Pack (Adminpak.msi) installed. The same permissions apply as noted previously.

  1. When prompted to write new certificate templates, click OK.

To verify that the upgrade to Windows Server 2003 was successful

  1. Open the Certificate Templates snap-in.

  2. Confirm that there are 29 certificate templates. The version numbers of templates should all exist and be in the format of xxx.x; for example, 100.2. Version 1 certificate templates use a single digit for the primary version number. The Administrator certificate template version number is 3.1. Primary version numbers for version 2 certificate templates are three digits in length. For example, the version number for the Key Recovery certificate template is 105.0.

Note

An upgrade of the certificate templates is performed if a new Windows Server 2003–based CA is installed in the forest. If a Windows 2000 Server–based CA is upgraded to Windows Server 2003, the template upgrade is not performed automatically and will only be performed when the Certificate Templates snap-in is opened for the first time. You can still verify that the update has taken place, but the process is performed automatically.