Share via


Configuring a certification authority to support certificate template options

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Configuring a certification authority to support certificate template options

Certificate templates are useful configuration elements of a Windows Server 2003, Enterprise Edition, certification authority (CA). Many of the benefits of editable templates work in conjunction with a properly configured certification authority. Although the default configuration of a certification authority will support most of the functions available, there may be deployment considerations which require reconfiguration of the certification authority.

Key archival and recovery

When you want key archival and recovery on a certification authority, three complimentary configuration settings must be made.

Cryptographic service provider

When a cryptographic service provider (CSP) is selected for a certificate template, the selected CSP must be installed on the client computer (or device, if not a computer) as well as the computer configuring the certificate template. If the CSP is not installed, it will not be available for subject requests. This will render the certificate template useless until the configuration is corrected. The CSP must also be installed on the computer where the certificate template is edited.

When selecting CSPs for a certificate template, the intended use of the certificate must also be considered. The intended functionality of the certificate must be provided by the CSP for the template to be useful. For example, if a template was created for clients to use with Encrypting File System (EFS) and the CSP selected is Microsoft Base DSS and Diffie-Hellman Cryptographic Provider, which does not provide encryption functionality, the issued certificates will not be able to perform that function.