Walkthroughs (Implementing and Administering Certificate Templates in Windows Server 2003)

  • Article

Applies To: Windows Server 2003 with SP1

Creating a Version 2 Certificate Template

To create a new version 2 certificate template

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. Open the Certificate Templates MMC console (Certtmpl.msc).

  3. In the details pane, right-click an existing certificate that will serve as the starting point for the new certificate, and then click Duplicate Template.

  4. On the General tab, enter the Template display name and the template name, and then click OK.

  5. Define any additional attributes for the newly created version 2 certificate template.

Defining Application and Issuance Policies

When you create a version 2 certificate template, you can define which application and issuance policies are included in the issued certificates. Defining application and issuance policies requires the completion of three tasks:

  • Acquiring Object Identifiers for the application and issuance policies

  • Defining the application and issuance policies

  • Mapping issuance policies between PKI hierarchies

Acquiring Object Identifiers

If you define a custom application policy or issuance policy, you must obtain an object identifier for the policy.

To acquire an object identifier

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task as described in the Delegating Template Management section.

  2. Open the Certificate Templates MMC console (Certtmpl.msc).

  3. In the details pane, right-click the certificate template you wish to modify, and then click Properties.

  4. On the Extensions tab, click Application Policies, and then click Edit.

  5. In the Edit Application Policies Extension dialog box, click Add.

  6. In Add Application Policy, ensure that the application you are creating does not exist, and then click New.

  7. In the New Application Policy dialog box, provide the name for the new application policy, note the generated object identifier, and then click OK.

Note

You could also add new object identifiers by editing Certificate Policies rather than Application Policies.

Establishing Application Policies

Once you have defined any custom application policies, you can then associate the application policy with the certificate template using the following procedure:

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. Open the Certificate Templates MMC console (Certtmpl.msc).

  3. In the details pane, right-click the certificate template you want to change, and then click Properties.

  4. On the Extensions tab, click Application Policies, and then click Edit.

  5. In Edit Application Policies Extension, click Add.

  6. In Add Application Policy, click the desired application policy, and then click OK.

Establishing issuance Policies

Once you have defined any custom issuance policies, you can then associate the issuance policy with the certificate template using the following procedure:

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. Open the Certificate Templates MMC console (Certtmpl.msc).

  3. In the details pane, right-click the certificate template you want to change, and then click Properties.

  4. On the Extensions tab, click Certificate Policies, and then click Edit.

  5. In Edit Issuance Policies Extension, click Add.

  6. In Add Issuance Policy, click New.

  7. Provide the requested information.

Mapping Issuance Policies between PKI Hierarchies

When performing qualified subordination, it may be necessary to associate issuance policies in your organization with issuance policies defined in another organization. The policy mappings are defined in the policy.inf file used to generate the Cross-Certification Authority certificate.

In the policy.inf file, you must include a [PolicyMappingsExtension] that maps the policies listed in the policy.inf file with policies defined in the other PKI hierarchy. The following code example shows a section of a policy.inf file that maps issuance policies for high, medium, and low assurance between two organizations.

[PolicyStatementExtension] 
Policies = HighAssurancePolicy, MediumAssurancePolicy, LowAssurancePolicy 
CRITICAL = FALSE 
[HighAssurancePolicy] 
OID = 1.3.6.1.4.1.311.21.8.256.257.258.259.1.402 
[MediumAssurancePolicy] 
OID = 1.3.6.1.4.1.311.21.8.256.257.258.259.1.401 
[LowAssurancePolicy] 
OID = 1.3.6.1.4.1.311.21.8.256.257.258.259.1.400 
[PolicyMappingsExtension] 
1.3.6.1.4.1.311.21.8.256.257.258.259.1.400 = 
1.3.6.1.4.1.311.21.8.354.232.582.111.1.400 
1.3.6.1.4.1.311.21.8.256.257.258.259.1.401 = 
1.3.6.1.4.1.311.21.8.354.232.582.111.1.401 
1.3.6.1.4.1.311.21.8.256.257.258.259.1.402 = 
1.3.6.1.4.1.311.21.8.354.232.582.111.1.402 
critical = yEs

This example maps the object identifiers for the high assurance, medium assurance, and low assurance policies to object identifiers that exist in the other organization's PKI. The other organization must define a policy.inf file that maps the object identifiers in the opposite direction so that the object identifiers are recognized by both organizations.

Configuring Permissions for a Certificate Template

This section explains how to define permissions for specific certificate templates and also for delegating permission for the management of certificate templates.

Allowing for Enrollment

To define permissions to allow a specific security principal to enroll for certificates based on a certificate template

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. Open the Certificate Templates MMC console (Certtmpl.msc).

  3. In the details pane, right-click the certificate template you want to change, and then click Properties.

  4. On the Security tab, ensure that Authenticated users is assigned Read permissions.

    This ensures that all authenticated users on the network can see the certificate templates.

  5. On the Security tab, click Add. Add a global group or universal group that contains all security principals requiring Enroll permissions for the certificate template, and then click OK.

  6. On the Security tab, select the newly added security group, and then assign Allow permissions for the Read and Enroll permissions.

  7. Click OK.

Allowing for Auto-Enrollment

To define permissions to allow a specific security principal to auto-enroll for certificates based on a certificate template

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. Open the Certificate Templates MMC console (Certtmpl.msc).

  3. In the details pane, right-click the certificate template you want to change, and then click Properties.

  4. On the Security tab, click Add. Add a global group or universal group that contains all security principals requiring Enroll permissions for the certificate template, and then click OK.

  5. On the Security tab, select the newly added security group, and then assign Allow permissions for the Read, Enroll, and Auto-enroll permissions.

  6. Click Apply.

Note

For more information about configuring certificate auto-enrollment, see the Certificate Autoenrollment in Windows XP white paper at https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/certenrl.mspx

Allowing Creation and Modification of any Certificate Template

To delegate administration of all templates (which includes the ability to duplicate and create new templates)

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. Open the ADSIEdit console (Adsiedit.msc).

  3. In the console tree, right-click ADSI Edit, and then click Connect to.

  4. In the Connection dialog box, in the Connection Point section, click Naming Context, select Configuration Container from the list below Naming Context, and then click OK.

  5. In the console tree, expand ADSI Edit.

  6. In the console tree, expand Configuration Container.

  7. In the console tree, expand CN=Configuration,DC=ForestRootDomain (where ForestRootDomain is the LDAP distinguished name of your forest root domain).

  8. In the console tree, expand CN=Services.

  9. In the console tree, expand CN=Public Key Services.

  10. In the console tree, right-click CN=Certificate Templates, and then click Properties.

  11. In the CN=Certificate Templates Properties dialog box, on the Security tab, click Add. Add a global or universal group that contains the users you wish to delegate certificate creation and management permissions to, and then click OK.

  12. On the Security tab, select the newly added security group, ensure that the security group is assigned Allow permissions for the Full Control permission, and then click OK.

  13. In the console tree, right-click CN=OID, and then click Properties.

  14. In the CN=OID Properties dialog box, on the Security tab, click Add. Add a global or universal group that contains the users you wish to delegate certificate creation and management permissions to, and then click OK.

  15. On the Security tab, select the newly added security group, ensure that the security group is assigned Allow permissions for the Full Control permission, and then click OK.

  16. Close ADSI Edit.

  17. Ensure that the security group assigned full control permissions to the CN=Certificate Templates and CN=OID containers is also assigned full control permissions for all certificate templates listed in the Certificate Templates MMC console (Certtmpl.msc).

Publishing a Certificate Template

To define which certificate templates are issued by a Certification Authority

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. From Administrative Tools, open the Certification Authority MMC console.

  3. In the console tree, expand CAName (where CAName is the name of your Enterprise CA).

  4. In the console tree, select the Certificate Templates container.

    Note

    If working with a Windows 2000 CA, the container is named Policy Settings.

  5. Right-click Certificate Templates, and then click New, Certificate Template to Issue.

  6. In the Enable Certificate Templates dialog box, select the certificate template(s) you wish the CA to issue, and then click OK.

Note

If a certificate template is not listed in the Enable Certificate Templates dialog box, the CA is either already configured to issue the certificate template, or replication of the certificate template is not completed to all domain controllers in the forest.

The newly selected certificate template(s) will appear in the details pane.

Removing a Certificate Template from a CA

Removing a certificate template only unlinks a certificate from a CA instead of deleting it physically from the certificate template store.

To remove a certificate template from the certificate templates currently issued by a Certification Authority

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. From Administrative Tools, open the Certification Authority MMC console.

  3. In the console tree, expand CAName (where CAName is the name of your Enterprise CA).

  4. In the console tree, select the Certificate Templates container.

    Note

    If working with a Windows 2000 CA, the container is named Policy Settings.

  5. In the details pane, right-click the certificate template you wish to remove from the CA, and then click Delete.

  6. In the Disable Certificate Templates dialog box, click Yes.

The certificate template no longer appears in the details pane.

Replace an Existing Certificate Template with a New Certificate Template

This process, also referred to as superseding an existing template, defines which existing templates a version 2 certificate is replacing.

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. Open the Certificate Templates MMC console (Certtmpl.msc).

  3. In the details pane, right-click the certificate template you want to change, and then click Properties.

  4. Click the Superseded Templates tab.

  5. Click Add.

  6. Click one or more templates to supersede, and then click OK.

Re-Enroll Certificate Holders

If you make modifications to a certificate template that you wish implemented immediately for all existing certificate holders, you can force re-enrollment by using the following procedure:

  1. Log on as a member of the Enterprise Admins or the forest root domain's Domain Admins group, or as a user who has been granted permission to perform this task.

  2. Open the Certificate Templates MMC console (Certtmpl.msc).

  3. In the details pane, right-click the certificate template that you wish to re-enroll for all certificate holders, and then click Reenroll all Certificate Holders.