question

Fabian-7704 avatar image
0 Votes"
Fabian-7704 asked Fabian-7704 commented

Does LoadDefaultTemplates=0 in CAPolicy.inf also prevent the creation of new templates?

Initially, the certificate templates are automatically created in the configuration partition of the AD when the Certificate Template Manager is opened. I assume that if a new template is delivered with a new OS version (e.g. Kerberos Authentication in Windows Server 2008), it will create the new template when I opening the manager on the new OS for the first time.

As I understand, LoadDefaultTemplates=0 prevents the Issue CA from automatically assigning the certificate templates and so not offering them to the clients.

Does LoadDefaultTemplates=0 prevent also the creation of new templates which are not yet in the configuration partition of the AD? Or only that the existing certificate templates in the configuration partition are not provided by the new CA?

windows-server
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered Fabian-7704 commented

Hi,

This will not prevent the automatic creation of templates by the template manager.

It only effects the default templates as following:
111957-763.jpg

It will not affect the list under the template manager:
112045-764.jpg
I set 2 PKI in 2 forests, one Enterprise CA with set the LoadDefaultTemplates=0 and Enterprise CA with set the LoadDefaultTemplates=1

The list under the template manager don't have any changes.

LoadDefaultTemplates only applies during the install of an Enterprise CA.

Hope i didn't misunderstand this time.






763.jpg (150.0 KiB)
764.jpg (282.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@FanFan-MSFT thanks a lot, this answers my question

0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered Fabian-7704 edited

Hi,
Welcome to ask here!
Based on my understanding, LoadDefaultTemplates only applies during the install of an Enterprise CA. This setting, either True or False (or 1 or 0), dictates if the CA is configured with any of the default templates.
Setting the LoadDefaultTemplates=0 prevent the default templates from being added to the Enterprise CA.
After the installation, we can later add just the certificate templates that are needed.
So, it will not prevent the creation of the new templates.


Following link for your reference:

CAPolicy.inf Syntax
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/prepare-the-capolicy-inf-file

Best Regards,

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the response, this confirms what I allready wrote. But my question is if this setting also prevents the automatic creation of templates by the template manager?

Steps to clarify my question:

  1. Delete all templates from Configuration Partition with adsiedit

  2. Install Enterprise Issue CA with LoadDefaultTemplates=0

  3. Start Certificate Template Management Console

  4. Check if a notification appears, which ask if non-existing templates should be created.

If the notification appeas, the LoadDefaultTemplates=0 have no impact on the automatic creation of default templates

0 Votes 0 ·