Share via


Certificate Template Overview

Applies To: Windows Server 2003 with SP1

Windows 2000 introduced the concept of using certificate templates to define the format and content of a certificate. Certificate templates are used by Windows 2000 Enterprise CAs to define what certificates can be issued by the Windows 2000 Enterprise CAs. Associated with the certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read, enroll, and configure the certificate template. Enterprise CAs are integrated into Active Directory. The certificate templates and the DACLs of the certificate template objects are defined in Active Directory with a forest-wide validity. If more than one Enterprise CA is running in the Windows forest, permission changes would have an impact on all Enterprise CAs.

The certificate templates used by Windows 2000 Enterprise CAs are known as version 1 certificate templates. Windows 2000 shipped with a number of predefined version 1 certificate templates, but modification of these default certificate templates is not allowed. The only modification that is enabled is the changing of permissions to allow enrollment of the certificate template. The version 1 certificate templates are created by default when an Enterprise CA is installed.

Windows Server 2003 extends certificate templates by introducing version 2 templates. Version 2 templates allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration and more can be added as necessary. This allows complete configuration flexibility for administrators. Alternatively, a version 1 certificate template can be duplicated, resulting in a version 2 certificate template that can be modified and secured separately.

Note

Similar to Windows 2000, Windows Server 2003 supports only version 1 templates. Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition support both version 1 and version 2 templates. Certificates based on version 2 templates can only be issued by an Enterprise CA running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

When a certificate template is defined, the definition of the certificate template must be available to all CAs in the forest. This is accomplished by storing the certificate template information in the Configuration naming context (CN=Configuration,DC=ForestRootName). The replication of this information depends on the Active Directory replication schedule, and the certificate template may not be available at all CAs until replication is completed. This storage and replication is accomplished automatically by Windows Server 2003 family computers.

Requirements

To set up a Windows Server 2003 CA, the Active Directory schema must be upgraded to the Windows Server 2003 schema. You cannot install a Windows Server 2003 CA into a Windows 2000based schema.

The schema is updated to the Windows Server 2003 schema by running ADPREP /Forestprep at a Windows 2000 domain controller with the Windows Server 2003 CD-ROM in the CD-ROM drive.

Upgrading from Version 1 to Version 2 Certificate Templates

When you install Windows Server 2003 CA into a Windows Server 2003based Active Directory, the current certificate templates are updated during the upgrade process. The update modifies default settings for the Windows 2000 version 1 certificate templates that implement better security defaults. If a Windows Server 2003, Enterprise Edition CA is installed in addition several, version 2 certificate templates are created.

The upgrade process of an Enterprise CA must be performed by an account that is a member of the forest root Domain Admins group and the Enterprise Admins universal group. This is because the upgrade makes modifications to the Configuration naming context in Active Directory. Specifically, the account performing the upgrade must have the following permissions through group memberships (these are the default permissions):

  • Full control permissions over the CN=Certificate Templates, CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain" container

  • Full control permissions over the CN=OID,CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain container

  • Full Control permissions for each certificate template object in the CN=Certificate Templates, CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain" container

Note

Delegation over the Certificate Templates container will have no effect on individual certificate templates. In other words, the ACL on certificate templates is not inherited from the ACL on the container.

To upgrade the certificate templates, perform the following procedure after the upgrade for a Certification Authority to Windows Server 2003 or the installation of a new Windows Server 2003 CA on the network:

  1. Upgrade to the Windows Server 2003 schema.

  2. Log on as a user account that is a member of the forest root Domain Admins group and the Enterprise Admins group.

  3. At a Windows Server 2003, Enterprise Edition CA (the CA can be running on Windows Server 2003, Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition configured as a member-server or Domain Controller), run the Certificate Templates MMC console (certtmpl.msc).

    Note

    Alternatively, the Certificate Templates MMC console can be run from a Windows XP Professional computer with the Windows Server 2003 Administration Pack (Adminpak.msi) installed. The same permissions apply as noted previously.

  4. When prompted to write new certificate templates, click OK.

To verify that the upgrade is successful, open the Certificate Templates MMC console and confirm that there are 29 certificate templates. The Version # of templates should all exist and be in the format of xxx.xxx, for example, 100.2. Version 1 certificate templates use a single digit for the primary version number, for example, the Administrator certificate template version number is 3.1. Version 2 certificate template primary version numbers are three digits in length. For example, the Key Recovery Certificate Template version number is 105.0.

Note

An upgrade of the certificate templates is performed run if a new Windows Server 2003 CA is installed in the forest. If a Windows 2000 CA is upgraded to Windows Server 2003, the template upgrade is not performed automatically and will only be performed when the certificate templates MMC snap-in is opened for the first time. You can still verify that the update has taken place, but the process is performed automatically.

Default Templates

Once the upgrade to Windows Server 2003 certificate templates is completed, the following preconfigured certificate templates are listed in the Certificate Templates MMC console.

Name Description Key Usage Subject Type Published to AD

Administrator

Allows trust list signing and user authentication

Signature and encryption

User

Yes

Authenticated Session

Subject can authenticate to a Web server

Signature

User

No

Basic EFS

Used by Encrypting File System (EFS) to encrypt data

Encryption

User

Yes

CA Exchange

Used to store keys that are configured for private key archival

Encryption

Computer

No

CEP Encryption

Allows the holder to act as a registration authority (RA) for simple certificate enrollment protocol (SCEP) requests

Encryption

Computer

No

Code Signing

Used to digitally sign software

Signature

User

No

Computer

Allows a computer to authenticate itself on the network

Signature and encryption

Computer

No

Cross-Certification Authority

Used in cross-certification and qualified subordination

Signature

CrossCA

Yes

Directory E-mail Replication

Used to replicate e-mail within Active Directory

Signature and encryption

DirEmailRep

Yes

Domain Controller

All-purpose certificates held by domain controllers

Signature and encryption

DirEmailRep

Yes

Domain Controller Authentication

Used to authenticate Active Directory computers and users

Signature and encryption

Computer

No

EFS Recovery Agent

Allows the subject to decrypt files previously encrypted with EFS

Encryption

User

No

Enrollment Agent

Used to request certificates on behalf of another subject

Signature

User

No

Enrollment Agent (Computer)

Used to request certificates on behalf of another computer subject

Signature

Computer

No

Exchange Enrollment Agent (Offline request)

Used to request certificates on behalf of another subject and supply the subject name in the request

Signature

User

No

Exchange Signature Only

Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for digitally signing e-mail

Signature

User

No

Exchange User

Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for encrypting e-mail

Encryption

User

Yes

IPSEC

Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication

Signature and encryption

Computer

No

IPSEC (Offline request)

Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request

Signature and encryption

Computer

No

Key Recovery Agent

This certificate can recover private keys archived on the certification authority.

Encryption

KRA

Yes

Root Certification Authority

Used to prove the identity of the root certification authority

Signature

CA

Yes

Name Description Key Usage Subject Type Published to AD Template Version

Router (Offline request)

Used by a router when requested through SCEP from a CA that holds a CEP Encryption certificate

Signature and encryption

Computer

No

3.1

Smartcard Logon

Allows the holder to authenticate using a smart card

Signature and encryption

User

No

5.1

Smartcard User

Allows the holder to authenticate and protect e-mail using a smart card

Signature and encryption

User

Yes

9.1

Subordinate Certification Authority

Used to prove the identity of the root certification authority, issued by the parent or root certification authority

Signature

CA

Yes

4.1

Trust List Signing

The holder can digitally sign a trust list.

Signature

User

No

2.1

User

Certificate to be used by users for e-mail, EFS, and client authentication

Signature and encryption

User

Yes

2.1

User Signature Only

Allows users to digitally sign data

Signature

User

No

3.1

Web Server

Proves the identity of a Web server

Signature and encryption

Computer

No

3.1