Default Certificate Templates

Applies To: Windows Server 2008 R2

A number of preconfigured certificate templates that are designed to meet the needs of most organizations are included with Windows Server 2008–based enterprise certification authorities (CAs). These templates are described in the following table.

Name Description Key usage Subject type Published to Active Directory Domain Services (AD DS)? Template version

Administrator

Allows trust list signing and user authentication.

Signature and encryption

User

Yes

1

Authenticated Session

Allows the subject to authenticate to a Web server.

Signature

User

No

1

Basic EFS

Used by Encrypting File System (EFS) to encrypt data.

Encryption

User

Yes

1

CA Exchange

Used to store keys that are configured for private key archival.

Encryption

Computer

No

2

CEP Encryption

Allows the certificate holder to act as a registration authority for Simple Certificate Enrollment Protocol (SCEP) requests.

Encryption

Computer

No

1

Code Signing

Used to digitally sign software.

Signature

User

No

1

Computer

Allows a computer to authenticate itself on the network.

Signature and encryption

Computer

No

1

Cross-Certification Authority

Used for cross-certification and qualified subordination.

Signature

Cross-certified CA

Yes

2

Directory E-mail Replication

Used to replicate e-mail within AD DS.

Signature and encryption

Computer

Yes

2

Domain Controller

Used by domain controllers as all-purpose certificates.

Signature and encryption

Computer

Yes

1

Domain Controller Authentication

Used to authenticate Active Directory computers and users.

Signature and encryption

Computer

No

2

EFS Recovery Agent

Allows the subject to decrypt files that were previously encrypted with EFS.

Encryption

User

No

1

Enrollment Agent

Used to request certificates on behalf of another subject.

Signature

User

No

1

Enrollment Agent (Computer)

Used to request certificates on behalf of another computer subject.

Signature

Computer

No

1

Exchange Enrollment Agent (Offline request)

Used to request certificates on behalf of another subject and supply the subject name in the request.

Signature

User

No

1

Exchange Signature Only

Used by the Microsoft Exchange Key Management Service to issue certificates to Exchange users for digitally signing e-mail.

Signature

User

No

1

Exchange User

Used by the Microsoft Exchange Key Management Service to issue certificates to Exchange users for encrypting e-mail.

Encryption

User

Yes

1

IPSEC

Used by Internet Protocol security (IPsec) to digitally sign, encrypt, and decrypt network communication.

Signature and encryption

Computer

No

1

IPSEC (Offline request)

Used by IPsec to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request.

Signature and encryption

Computer

No

1

Kerberos Authentication

Used to authenticate Active Directory computers and users.

Signature and encryption

Computer

No

2

Key Recovery Agent

Recovers private keys that are archived on the CA.

Encryption

Key recovery agent

No

2

OCSP Response Signing

Used by an Online Responder to sign responses to certificate status requests.

Signature

Computer

No

3

RAS and IAS Server

Enables remote access servers and Internet Authentication Service (IAS) servers to authenticate their identity to other computers.

Signature and encryption

Computer

No

2

Root Certification Authority

Used to prove the identity of the root CA.

Signature

CA

No

1

Router (Offline request)

Used by a router when requested through a SCEP request from a CA that holds a CEP Encryption certificate.

Signature and encryption

Computer

No

1

Smartcard Logon

Allows the holder to authenticate by using a smart card.

Signature and encryption

User

No

1

Smartcard User

Allows the holder to authenticate and protect e-mail by using a smart card.

Signature and encryption

User

Yes

1

Subordinate Certification Authority

Used to prove the identity of the root CA. It is issued by the parent or root CA.

Signature

CA

No

1

Trust List Signing

Allows the holder to digitally sign a trust list.

Signature

User

No

1

User

Used by users for e-mail, EFS, and client authentication.

Signature and encryption

User

Yes

1

User Signature Only

Allows users to digitally sign data.

Signature

User

No

1

Web Server

Proves the identity of a Web server.

Signature and encryption

Computer

No

1

Workstation Authentication

Enables client computers to authenticate their identity to servers.

Signature and encryption

Computer

No

2

When you duplicate a version 1 or version 2 certificate template, you can make the duplicate a version 2 or version 3 template in order to configure the advanced options available with the later versions. However, version 3 certificate templates can only be issued by Windows Server 2008–based enterprise CAs and used by clients on computers running Windows Server 2008 or Windows Vista. For more information, see Certificate Template Versions.

For information about configuration options for certificate templates, see Configuring a Certificate Template.

Additional references