Certificate Templates Best practices

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices

Do not delete the Certificate Publishers security group

  • The Certificate Publishers security group contains each certification authority's computer account and is used when publishing certificate templates to Active Directory. If this group is removed, the certification authority may not publish certificates to Active Directory correctly. To avoid this, the group should not be deleted and its membership should not be modified.

Do not exceed the certificate lifetime of the issuing certification authority

  • Certificate lifetimes work as a subset of the certification authority's (CA) certificate lifetime. All certificates, including the CA certificate, have an expiration date that they are no longer valid after. As a result, a certificate cannot be issued with a lifetime that exceeds the lifetime of the issuing CA. Issuing such a certificate would allow it to be valid for longer than the issuing CA certificate, which is impossible. A CA will therefore continue to issue certificates until the CA's certificate expires or until the requested template's renewal period is greater than the CA's certificate remaining lifetime.

Plan certificate templates before deployment

  • Certificates can be issued to subjects in many ways, including manual enrollment, autoenrollment and Web enrollment. In addition, there are many certificate strategies including issuing one all-inclusive certificate to all subjects and issuing several application-specific certificates to subjects as needed. Because there are so many options, planning should be done well in advance of certificate deployment.

Upgrade the certificate templates in Active Directory before upgrading from Windows 2000

  • Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities use newer versions of certificate templates than those used by Windows 2000. These templates must be upgraded before the certification authorities are upgraded to ensure proper operation.

    For more information, see Install new templates and upgrade existing templates.

Duplicate new templates from existing templates closest in function to the intended template

  • New certificate templates are duplicated from existing templates. Many settings are copied from the original template. Because of this, duplicating one template to another of a totally different type may carry over some unintended settings. When duplicating a template, examine the subject type of the original template and ensure that you duplicate one that has a similar function to that of the intended template. Although most settings for certificate templates can be edited once the template is duplicated, the subject type cannot be changed.

    For a list of certificate templates and their subject types, see Default Certificate Templates.