Certificate Templates Overview

Applies To: Windows Server 2008

Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as autoenrollment, enrollment only with authorized signatures, and manual enrollment. Associated with each certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read and configure the template, as well as to enroll or autoenroll for certificates based on the template. The certificate templates and their permissions are defined in Active Directory® Domain Services (AD DS) and are valid within the forest. If more than one enterprise CA is running in the Active Directory forest, permission changes will affect all enterprise CAs.

Note

When a certificate template is defined, the definition of the certificate template must be available to all CAs in the forest. This is accomplished by storing the certificate template information in the Configuration naming context (CN=Configuration,DC=ForestRootName). The replication of this information depends on the Active Directory replication schedule, and the certificate template may not be available to all CAs until replication is completed. The storage and replication are accomplished automatically.

CA Terminology

The following terms and acronyms are used throughout this document.

Authority information access. A certificate extension that contains URLs where the issuing CA certificate can be retrieved. The authority information access extension can contain Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Lightweight Directory Access Protocol (LDAP), or FILE URLs.

Certificate revocation list (CRL). A digitally signed list issued by a CA that contains certificates that have been revoked. The list includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason. Applications can perform CRL checking to determine a presented certificate's revocation status. CRLs can also be referred to as base CRLs to differentiate them from delta CRLs.

Certificate template. A preconfigured list of certificate settings that allows users and computers to enroll for certificates without having to create complex certificate requests.

  • Version 2 certificate templates are customizable certificate templates that are supported with Windows Server® 2008 Enterprise–based CAs or Windows Server 2003 Enterprise Edition–based CAs. Version 2 certificate templates enable advanced CA features such as key archival and recovery and certificate autoenrollment.

    • In order to use version 2 templates, Active Directory must be upgraded to support Windows Server 2008 or Windows Server 2003 schema changes.

    • Standard editions of Windows Server 2008 and Windows Server 2003 support only version 1 certificate templates, which are not customizable and do not support key archival or autoenrollment.

  • Version 3 certificate templates are new in Windows Server 2008. Version 3 certificate templates function similarly to version 2 templates, and they support new Active Directory Certificate Services (AD CS) features available in Windows Server 2008. These features include Cryptography Next Generation (CNG), which introduces support for Suite B cryptographic algorithms such as elliptic curve cryptography (ECC).

CRL distribution point. A certificate extension that indicates where the CRL for a CA can be retrieved. This extension can contain multiple HTTP, FTP, FILE, or LDAP URLs for the retrieval of the CRL.

Delta CRL. A type of CRL that contains the list of certificates revoked since the last base CRL was published. Delta CRLs are often used in environments where numerous certificates are revoked to optimize bandwidth use.

Enterprise CA. Enterprise CAs are integrated with AD DS. They publish certificates and CRLs to AD DS, use information stored in AD DS such as user accounts and security groups to approve or deny certificate requests, and use certificate templates stored in AD DS to generate a certificate with the appropriate attributes.

Online Certificate Status Protocol (OCSP). A protocol that allows high-performance validation of certificate status. Windows Server 2008 introduces an online revocation provider (Online Responder) as an optional role service within AD CS.

Public key infrastructure (PKI). A PKI consists of CAs that issue digital certificates, directories that store certificates and policies (including AD DS), resources that provide revocation and validation information for certificates, and the X.509 certificates that are issued to security entities on the network.

Security principal. A user, security group, or computer account that can be assigned permissions in a DACL.

Stand-alone CA. Stand-alone CAs do not require AD DS and do not use certificate templates.

Templates in Versions of Windows Earlier than Windows Server 2008

A number of predefined certificate templates were first introduced in Microsoft Windows® 2000, but attributes of those version 1 certificate templates could not be modified, except the permissions specified in the DACL. This was done through the advanced view of the Active Directory Sites and Services snap-in and allowed administrators to specify which users and groups could read, update, and enroll for certificates that use the templates.

With Windows Server 2003, the introduction of version 2 certificate templates meant that more customization was possible, and management was done through the Certificate Templates snap-in rather than through the Active Directory Sites and Services snap-in.

With Windows Server 2003–based CAs, the Certificate Templates snap-in allowed you to define specific attributes for certificates that meet your organization's business needs. For example, you could:

  • Define whether the private key associated with a certificate can be exported.

  • Define whether the certificate request must be approved by a certificate manager, and define how many managers must approve a request before the certificate is issued.

  • Define which cryptographic service providers (CSPs) are supported by a certificate template.

  • Define issuance and application policy for issued certificates.

Windows Server 2008–Based Templates

Windows Server 2008 introduced version 3 certificate templates. These certificate templates have been updated to support new features available in the Windows Server 2008–based CA, including CNG, which introduces support for Suite B cryptographic algorithms such as ECC. For more information about CNG in Windows Server 2008, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?LinkID=85613).

CNG encryption and hash algorithms can be specified for:

  • Certificate requests

  • Issued certificates

  • Protection of private keys for key exchange and key archival scenarios

Administrators can configure support for these new certificate template features using the template properties options in the Certificate Templates snap-in in Windows Server 2008.

AD CS includes two new certificate templates: Kerberos Authentication (delivered as a version 2 template) and OCSP Response Signing (delivered as a version 3 template). These templates are installed in AD DS when the first Windows Server 2008–based CA is installed, or the first time the Certificate Templates snap-in is opened from Windows Server 2008, after an upgrade to a Windows Server 2008–based CA.

Kerberos Authentication Template

The purpose of the Kerberos Authentication template is to issue certificates to domain controllers, which present the certificates to client computers during user and computer network authentication. Certificates issued via this new template contain two specific attributes. Rather than relying on the DNS name of the computer, applications can verify the following:

  • The enhanced key usage extension of the certificate contains Key Distribution Center (KDC) authentication.

  • The domain name is in the subject alternative name extension of the certificate.

By the authority of the issuing CA, these attributes prove that the computer presenting the certificate is a domain controller for the domain contained in the subject alternative name. This new template is recommended for domain controllers running Windows Server 2008. For domain controllers running Windows Server 2003, the Domain Controller Authentication template or the Kerberos Authentication template can be used.

Note

If a domain controller running Windows Server 2003 with Service Pack 1 (SP1) or Windows Server 2003 R2 obtains a certificate based on the Kerberos Authentication template, the following error might appear on the domain controller.
Automatic certificate enrollment for local system detected the DNS name in the Kerberos Authentication certificate does not match the DNS name of the local computer. A new enrollment for one Kerberos Authentication certificate will be performed in 24 hours.
This is a known issue. It occurs because the autoenrollment client computer running Windows Server 2003 compares the local computer's DNS name to the contents of the certificate subject alternative name.

Client computers running Windows Vista or Windows Server 2008 can be configured to check for the new enhanced key usage entry by enabling strong KDC validation on the following registry entry:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\kdcvalidation

The default value of 0 disables strong KDC validation. To enable strong KDC validation, set this DWORD value to 2.

The following table shows which certificate template can be used for CAs running different versions of Windows, based on which version of Windows the domain controller is running.

Domain controller Windows 2000 Server–based CA (version 1 only) Windows Server 2003–based CA Windows Server 2008–based CA

Windows 2000 Server

(enroll for version 1 templates only)

Domain Controller

Domain Controller

Domain Controller

Windows Server 2003

Domain Controller

Domain Controller

or

Domain Controller Authentication

Directory E-mail Replication

Kerberos Authentication or Domain Controller Authentication

Directory E-mail Replication

Windows Server 2008

Domain Controller

Domain Controller

or

Domain Controller Authentication

Directory E-mail Replication

Kerberos Authentication

Directory E-mail Replication

Note

If the CA administrator has not manually assigned the Domain Controller Authentication and Directory E-mail Replication certificate templates to a Windows Server 2003–based CA or a Windows Server 2008–based CA, domain controllers running Windows Server 2003 still use the default Domain Controller certificate template. If a Windows Server 2008–based CA is available and configured to issue the Kerberos Authentication template, a domain controller running Windows Server 2003 or Windows Server 2008 will enroll for a Kerberos Authentication certificate, even if it already has a Domain Controller Authentication certificate.

The Kerberos Authentication certificate template is fully backward-compatible with the previous domain controller templates; for example, when the domain controller has a Kerberos Authentication certificate, smart card logon can be performed even with a client computer running Windows 2000 Professional.

OCSP Response Signing Template

The second new template introduced in Windows Server 2008 is the OCSP Response Signing template. An Online Responder based on the OCSP standard is an optional component in Windows Server 2008. This template issues certificates for computers running an Online Responder, enabling the Online Responder to provide signed responses to client computers requesting revocation information on certificates issued by the same CA that signed the OCSP signing certificate. The characteristics of OCSP signing certificates are:

  • The "OCSP Signing" entry exists in the enhanced key usage extension.

  • Revocation is not selected (no authority information access or CRL distribution point extensions).

  • By default, the validity period is two weeks.

  • The Network Service account on the computer to which the OCSP signing certificate is issued will be granted Read permission on the private key by default. This allows the OCSP service to use the private key.

For more information about the Online Responder and OCSP in Windows Server 2008, see Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP Responder) (https://go.microsoft.com/fwlink/?LinkId=101269).

Default Templates

When a Windows Server 2008–based CA is installed, a set of default certificate templates is assigned to the CA so that the CA is immediately able to issue certificates for those templates.

Note

This behavior can be changed by setting the LoadDefaultTemplates=0 parameter in the CAPolicy.inf file prior to CA installation.

The list of which default templates are assigned has been updated in Windows Server 2008. The following table shows the default templates in Windows Server 2008 and Windows Server 2003.

Template name Windows Server 2003 Windows Server 2008

Administrator

X

X

Basic EFS

X

X

Computer

X

X

Directory E-mail Replication

X

Domain Controller

X

X

Domain Controller Authentication

X

EFS Recovery Agent

X

X

Kerberos Authentication

X

Subordinate Certification Authority

X

X

User

X

X

Web Server

X

X

In AD CS, the following preconfigured certificate templates are listed in the Certificate Templates snap-in.

Note

The Kerberos Authentication and OCSP Response Signing templates are new in Windows Server 2008 and were not installed by default with Windows Server 2003 enterprise CAs.

Default templates in Windows Server 2008

Name Description Key usage Subject type Applications used for enhanced key usage Application policies or enhanced key usage

Administrator

Allows trust list signing and user authentication

Signature and encryption

User

Microsoft trust list signing

Encrypting File System (EFS)

Secure e-mail

Client authentication

4.1

Authenticated Session

Allows subjects to authenticate to a Web server

Signature

User

Client authentication

3.1

Basic EFS

Used by EFS to encrypt data

Encryption

User

EFS

3.1

CA Exchange

Used to protect private keys as they are sent to the CA for private key archival

Encryption

Computer

Private key archival

106.0

CEP Encryption

Allows the holder to act as a registration authority for Simple Certificate Enrollment Protocol (SCEP) requests; used by the Network Device Enrollment Service for its key exchange certificate

Encryption

Computer

Certificate request agent

4.1

Code Signing

Used to digitally sign software

Signature

User

Code signing

3.1

Computer

Allows a computer to authenticate itself on the network

Signature and encryption

Computer

Client authentication

Server authentication

5.1

Cross-Certification Authority

Used for cross-certification and qualified subordination

Signature

Certificate signing

CRL signing

Cross-certified CA

105.0

Directory E-mail Replication

Used to replicate e-mail within AD DS

Signature and encryption

Directory e-mail replication

Directory service e-mail replication

115.0

Domain Controller

Used by domain controllers as all-purpose certificates and is superseded by two separate templates: Domain Controller Authentication and Directory E-mail Replication

Signature and encryption

Directory e-mail replication

Client authentication

Server authentication

4.1

Domain Controller Authentication

Used to authenticate Active Directory computers and users

Signature and encryption

Computer

Client authentication

Server authentication

Smart card logon

110.0

EFS Recovery Agent

Allows the subject to decrypt files that are encrypted with EFS

Encryption

User

File recovery

6.1

Enrollment Agent

Used to request certificates on behalf of another user

Signature

User

Certificate request agent

4.1

Enrollment Agent (Computer)

Used to request certificates on behalf of another computer

Signature

Computer

Certificate request agent

5.1

Exchange Enrollment Agent (Offline request)

Used to request certificates on behalf of another user and supply the user name in the request; used by the Network Device Enrollment Service for its enrollment agent certificate

Signature

User

Certificate request agent

4.1

Exchange Signature Only

Used by the Microsoft Exchange Key Management service to issue certificates to Exchange users for digitally signing e-mail

Signature

User

Secure e-mail

6.1

Exchange User

Used by the Microsoft Exchange Key Management service to issue certificates to Exchange users for encrypting e-mail

Encryption

User

Secure e-mail

7.1

IPSec

Used by IP security (IPsec) to digitally sign, encrypt, and decrypt network communication

Signature and encryption

Computer

IPsec Internet Key Exchange (IKE) intermediate

8.1

IPSec (Offline request)

Used by IPsec to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request

The Network Device Enrollment Service in Windows Server 2008 uses this template by default for device certificates

Signature and encryption

Computer

IPSec IKE intermediate

7.1

Kerberos Authentication

New in Windows Server 2008, this template is similar to the Domain Controller Authentication template and offers enhanced security capabilities for Windows Server 2008 domain controllers authenticating Active Directory users and computers

Signature and encryption

Computer

Client authentication

Server authentication

Smart card logon

KDC authentication

110.0

Key Recovery Agent (KRA)

Recovers private keys that are archived on the CA; for more information, see Key archival and recovery (https://go.microsoft.com/fwlink/?LinkID=89551).

Encryption

Key recovery agent

Key recovery agent

105.0

OCSP Response Signing

New in Windows Server 2008, this template issues certificates used by the OCSP service provider to sign OCSP responses; by default, these certificates contain a special OCSP no revocation checking extension and no authority information access or CRL distribution point extensions

Signature

Computer

OCSP signing

101.0

Remote Access Service (RAS) and Internet Authentication Service (IAS) Server

Enables RAS and IAS servers to authenticate their identity to other computers

Signature and encryption

Computer

Client authentication

Server authentication

101.0

Root CA

Used to prove the identity of the root CA

Signature

Certificate signing

CRL signing

CA

5.1

Router (Offline request)

Used by a router when requested through SCEP from a CA that holds a CEP Encryption certificate

Signature and encryption

Computer

Client authentication

4.1

Smart Card Logon

Allows the holder to authenticate its identity by using a smart card

Signature and encryption

User

Client authentication

Smart card logon

6.1

Smart Card User

Allows the holder to authenticate its identity and protect e-mail by using a smart card

Signature and encryption

User

Secure e-mail

Client authentication

Smart card logon

11.1

Subordinate CA

Used to prove the identity of the subordinate CA; it is issued by the parent or root CA

Signature

Certificate signing

CRL signing

CA

5.1

Trust List Signing

Allows the holder to digitally sign a trust list

Signature

User

Microsoft trust list signing

3.1

User

Used by users for e-mail, EFS, and client authentication

Signature and encryption

User

EFS

Secure e-mail

Key usage

3.1

User Signature Only

Allows users to digitally sign data

Signature

User

Secure e-mail

Client authentication

4.1

Web Server

Proves the identity of a Web server

Signature and encryption

Computer

Server authentication

4.1

Workstation Authentication

Enables client computers to authenticate their identity to servers

Signature and encryption

Computer

Client authentication

101.0