Export (0) Print
Expand All

Controlling enrollment access to certificate templates

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Controlling enrollment access to certificate templates

Certificate templates are published on a server. Each contains an access control list (ACL) which defines what specific operations a subject can do with the certificate.

 

Setting Description

Full Control

The selected group or user can perform any action on this template.

Read

The selected group or user can read this template.

Write

The selected group or user can modify this template.

Enroll

The selected group or user can submit a certificate issuance or renewal request based on this template.

Autoenroll

The selected group or user can submit a certificate request based on this template by way of autoenrollment. This option will not work unless the Enroll option is also selected.

The most common use of certificates is for subject enrollment with autoenrollment permitted. In this case, the subject must be granted Read, Enroll and Autoenroll permissions. If autoenrollment is not wanted but manual or Web-based enrollment is, granting the Read and Enroll permissions is appropriate. When subjects already hold a certificate, they only need Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not.

Write and Full Control permissions should be restricted to CA managers to ensure the templates are not improperly configured.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft