Appendix C: Certificate Template Schema Additions

Applies To: Windows Server 2003 with SP1

The Certificate Templates container contains the certificate templates that are defined within an Active Directory forest. Each certificate template is of the class pKICertificate. Each Certificate Template is managed by using the Certificate Templates MMC snap-in. Windows 2000 includes 24 default certificate templates; Windows ServerĀ 2003 includes 29 default templates. Each template is stored in the following location in the Configuration naming context:

CN=<name of template>,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC= ForestRootDomain

Version 1 Certificate Template Attributes

The following version 1 certificate templates attributes are defined in the Active Directory schema.

Attribute Description

Cn

Common name of the certificate type.

distinguishedName

Distinguished name of the certificate type.

displayName

Display name of a cert type.

pKIExtendedKeyUsage

Array of enhanced key usage object identifiers.

pKIDefaultCSPs

Default CSP list. DWORD, CSP name.

pKICriticalExtensions

List of critical extensions.

revision

Major version of the templates.

templateDescription

Obsolete attribute.

flags

General enrollment flags.

pKIDefaultKeySpec

Specifications of the Default Key length and construct.

NTSecurityDescriptor

Security Descriptor name.

pKIKeyUsage

Key Usage extension.

pKIMaxIssuingDepth

Basic Constraints. DWORD value.

pKIExpirationPeriod

Validity period. Negative FILETIME value.

pKIOverlapPeriod

Renewal period. Negative FILETIME value.

Version 2 Certificate Template Attributes

The following version 2 certificate templates attributes are defined in the Active Directory schema.

Attribute Description

msPKI-Template-Schema-Version

Schema version of the templates.

msPKI-Template-Minor-Revision

Minor version of the templates.

msPKI-RA-Signature

Number of RA signatures required on a request referencing this template.

msPKI-Minimal-Key-Size

Minimal key size required.

msPKI-Template-Cert-Template-OID

Object identifier of this template.

msPKI-Supersede-Templates

Name of the template that this template supersedes.

msPKI-RA-Policies

RA issuer policy object identifiers required.

msPKI-RA-Application-Policies

RA application policy object identifiers required.

msPKI-Certificate-Policy

The certificate issuer policy object identifiers are placed in the OID_CERT_POLICIES extension by the policy module.

msPKI-Certificate-Application-Policy

Certificate application policy object identifiers.

msPKI-Enrollment-Flag

Enrollment flags.

msPKI-Private-Key-Flag

Private key flags.

msPKI-Certificate-Name-Flag

Subject name flags.

Flags

The following enrollment flags are defined in the Active Directory schema.

Flag Description

CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS

  • 0x00000001

Include the S/MIME symmetric algorithms in the requests.

CT_FLAG_PEND_ALL_REQUESTS

  • 0x00000002

All certificate requests are pended.

CT_FLAG_PUBLISH_TO_KRA_CONTAINER

  • 0x00000004

Publish the certificate to the KRA (key recovery agent container) in Active Directory.

CT_FLAG_PUBLISH_TO_DS

  • 0x00000008

Publish the resultant certificate to the userCertificate property on the user object in Active Directory.

CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE

  • 0x00000010

The Auto-enrollment client will not enroll for a new certificate if the user has a certificate previously published to the userCertificate attribute in Active Directory with the same template name.

CT_FLAG_AUTO_ENROLLMENT

  • 0x00000020

This cert is appropriate for auto-enrollment.

CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT

  • 0x00000040

A previously issued certificate will valid subsequent enrollment requests.

CT_FLAG_DOMAIN_AUTHENTICATION_NOT_REQUIRED

  • 0x00000080

Obsolete.

CT_FLAG_USER_INTERACTION_REQUIRED

  • 0x00000100

User interaction is required to enroll using auto-enrollment.

CT_FLAG_ADD_TEMPLATE_NAME

  • 0x00000200

Obsolete.

CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE

  • 0x00000400

Remove invalid (expired or revoked) certificate from personal store on the local client computer during auto-enrollment.

The following subject name flags are defined in the Active Directory schema.

Flag Description

CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

  • 0x00000001

The enrolling application must supply the subject name.

CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME

  • 0x00010000

The enrolling application must supply the subjectAltName in request.

CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH

  • 0x80000000

Subject name should be full distinguished name based on the Active Directory path.

CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME

  • 0x40000000

Subject name should be the common name.

CT_FLAG_SUBJECT_REQUIRE_EMAIL

  • 0x20000000

Subject name includes the e-mail name.

CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN

  • 0x10000000

Subject name includes the DNS name as the common name.

CT_FLAG_SUBJECT_ALT_REQUIRE_DNS

  • 0x08000000

Subject alt name includes the DNS name.

CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL

  • 0x04000000

Subject alt name includes the e-mail name.

CT_FLAG_SUBJECT_ALT_REQUIRE_UPN

  • 0x02000000

Subject alt name requires UPN.

CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID

  • 0x01000000

Subject alt name requires directory GUID (used by domain controllers).

CT_FLAG_SUBJECT_ALT_REQUIRE_SPN

  • 0x00800000

Subject alt name requires SPN (service principal name).

The following template private key flags are defined in the Active Directory schema.

Flag Description

- Private Key Flags

CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL

  • 0x00000001

Archival of the private key is allowed/required.

CT_FLAG_EXPORTABLE_KEY

  • 0x00000010

Mark the private key as exportable.

The following template general flags are defined in the Active Directory schema:

Flag Description

CT_FLAG_MACHINE_TYPE

  • 0x00000040

Machine cert type.

CT_FLAG_IS_CA

  • 0x00000080

CA certificate type.

CT_FLAG_IS_CROSS_CA

  • 0x00000800

Cross-CA certificate type.

CT_FLAG_IS_DEFAULT

  • 0x00010000

Default cert type that is set on all V1 templates that cannot be changed.

CT_FLAG_IS_MODIFIED

  • 0x00020000

The type has been modified (read only).

CT_MASK_SETTABLE_FLAGS

  • 0x0000ffff

Obsolete.