Configure the Workstation Authentication Certificate Template

  • Article

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for computer certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.

Administrative credentials

To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group.

To configure the workstation authentication certificate template and autoenrollment

  1. On the computer where AD CS is installed, click Start, click Administrative Tools, and then click Certification Authority.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, right-click Certificate Templates, and then click Manage.

  4. In the details pane, click the Workstation Authentication template.

  5. On the Action menu, click Duplicate Template. In the Duplicate Template dialog box, select the template version that is appropriate for your deployment, and then click OK. For the resulting certificates to have maximum compatibility with the available versions of Windows, we recommended that you select Windows Server 2003 Enterprise.

  6. On the General tab, in Template display name, type a new name for the certificate template, such as Domain Isolation Workstation Authentication Template.

  7. Click the Subject Name tab. Make sure that Build from this Active Directory information is selected. In Subject name format, select Fully distinguished name.

  8. Click the Request Handling tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.

  9. Click the Security tab. In Group or user names, click Domain Computers, under Allow, select Enroll and Autoenroll, and then click OK.

Note

If you want do not want to deploy the certificate to every computer in the domain, then specify a different group or groups that contain the computer accounts that you want to receive the certificate.

  1. Close the Certificate Templates Console.

  2. In the Certification Authority MMC snap-in, in the left pane, right-click Certificate Templates, click New, and then click Certificate Template to Issue.

  3. In the Enable Certificate Templates dialog box, click the name of the certificate template you just configured, and then click OK.