Deploying Certificate Templates

Applies To: Windows Server 2008

When you create an enterprise certification authority (CA), certificate templates are stored in Active Directory Domain Services (AD DS) and can be made available to all enterprise CAs in the forest. This centralizes the location for use by all CAs in the enterprise, as well as simplifies replication, security management, and the upgrade of certificate templates when a CA is upgraded to a more recent version of a Windows server operating system. Note that this requires the root domain's Domain Admins group to have been granted Full Control permissions to all certificate templates or for this permission to have been granted to another user or group.

Once you have planned and created the appropriate certificate templates, they will be replicated automatically to all domain controllers in the enterprise. This replication normally takes approximately eight hours to complete. Because of this interval, you should create the certificate template and allow it to replicate before issuing certificates based on the certificate template to clients. This is best accomplished during an idle time in your environment. Configuring templates and using certificates before replication is completed can have unwanted effects.

• Managing Certificate Templates

• Add a Certificate Template to a Certification Authority

• Remove a Certificate Template from a Certification Authority