Issuing Certificates Based on Certificate Templates

Applies To: Windows Server 2008

Active Directory Certificate Services (AD CS) supports a variety of enrollment and renewal methods, including autoenrollment without any client interaction and interactive enrollment methods such as the Certificate Request Wizard and the AD CS Web pages.

Note

If you deploy non-Microsoft certification authorities (CAs) or custom certificate enrollment and renewal applications, you must perform any configuration required for those CAs and applications.

How a certificate is obtained by a client is controlled in large part by the security properties of the certificate template.

When certificate templates are published on a server, each template contains an access control list (ACL) that defines the specific operations a subject can perform with a certificate.

Setting Description

Full Control

The selected group or user can perform any action on this template.

Read

The selected group or user can read this template.

Write

The selected group or user can modify this template.

Enroll

The selected group or user can submit a certificate issuance or renewal request based on this template.

Autoenroll

The selected group or user can submit a certificate request based on this template by way of autoenrollment.

Note
This option will not work unless the Enroll option is also selected.

The most common use of certificates is for subject enrollment with autoenrollment permitted. In this case, the subject must be granted Read, Enroll, and Autoenroll permissions.

If you do not want to autoenroll users, but do not want to make manual or Web-based enrollment available, granting the Read and Enroll permissions is appropriate.

When subjects already hold a certificate, they need only Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not.

Write and Full Control permissions should be restricted to CA managers to ensure the templates are not improperly configured.