Configure Certificate Templates

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By default, Windows Server 2003 enterprise CAs are enabled upon installation to issue a variety of types of certificates. You can use the Certification Authority MMC snap-in to make the following modifications to this default configuration:

  • Specify the certificate types that are to be issued by each CA.

  • Delete any default certificate templates that you do not want the CA to issue from the certificate templates container.

  • Add additional certificate templates that the CA can issue.

You can configure CAs to support one or multiple security functions by:

  • Configuring root or intermediate CAs to issue subordinate certification authority certificates only.

  • Configuring an issuing CA that supports secure Web communication services to issue authenticated session, computer, and Web server certificates only.

  • Configuring an issuing CA that supports general business users to issue user certificates only, or configuring a CA that supports administrators to issue administrator certificates only.

  • Configuring an issuing CA that supports smart card enrollment to issue smart card logon and smart card user certificates only.

The access control lists (ACLs) for each certificate template control the permissions needed to request certificate types. An enterprise CA grants certificate requests only for users, computers, or services that have the Enroll permission selected in the ACLs for that certificate template. The ACLs for certificate templates are preconfigured to enable various default user accounts and security groups to enroll for certificate types.

You can use the Certificate Templates MMC snap-in to modify the ACLs for each certificate template. For example, by default, only members of the Domain Administrators security group can request and obtain enrollment agent certificates. However, to specify that only certain members of your security department can request and obtain enrollment agent certificates, you can change the ACLs for the enrollment agent certificate template. You can remove domain admins from the ACL and add the appropriate user accounts or security groups.

For Windows Server 2003 stand-alone CAs, information about the certificate type must be included in the certificate request because stand-alone CAs do not use certificate templates. You can use stand-alone CAs with custom policy modules and custom certificate request applications to control the types of certificates that are issued.