Deploying Certificate Templates

Applies To: Windows Server 2008 R2

When you create an enterprise certification authority (CA), certificate templates are stored in Active Directory Domain Services (AD DS) and can be made available to all enterprise CAs in the forest. This simplifies replication, security management, and the upgrade of certificate templates when a CA is upgraded to a more recent version of a Windows server operating system. Note that this requires the root domain's Domain Admins group to have Full Control permission on all certificate templates or for this permission to be granted to another user or group.

Once you have planned and created the appropriate certificate templates, they will be replicated automatically to all domain controllers in the enterprise. This replication normally takes approximately eight hours to complete. Because of this interval, you should create the certificate template and allow it to replicate before issuing certificates based on the certificate template to clients. This is best accomplished during an idle time in your environment. Configuring templates and using certificates before replication is completed can have unwanted effects.