Advanced Features

  • Article

Applies To: Windows Server 2003 with SP1

This section discusses templates that require certificate manager approval, self-registration authority, and how to supersede a certificate template.

Requiring Certificate Manager Approval

A specific certificate template can require that a certificate manager (CA officer) approve the request prior to the CA actually signing and issuing the certificate. This advanced security feature works in conjunction with autoenrollment and is enabled on the Issuance Requirements tab of a given certificate template (Figure 17). This setting overrides any pending setting on the CA itself.

Once certificate manager approval is required, all automatic enrollment requests are not issued until a certificate manager manually approves the request.

34cb44b6-f6fc-4f43-9096-98bac58b6dcd

Figure 17: Setting the Requirement for Certificate Manager Approval

The autoenrollment process will periodically check the CA for approved requests and install the certificates automatically. Smart cards, user certificates, and machine certificates support pending requests. In the case of smart cards, the user will be prompted to insert the smart card when the certificate is issued so that the certificate may be written to the card.

Note

The autoenrollment process supports a maximum of one signature requirement on the template. This limitation exists to support the self-registration authority feature described in Self-Registration Authority. If multiple signatures are desired for a given certificate enrollment, manual enrollment should be used.

Self-Registration Authority

The self registration authority (Self RA) is an advanced feature of certificate enrollment that may be combined with the autoenrollment process.

Self RA refers to certificate enrollment based on the existence of a previously enrolled certificate in which the users private key is used to sign the new certificate request. The Certificate Management Messages over CMS (CMC) protocol provides for this feature where one or more signatures may be used or required for a given certificate enrollment. Self RA requirements are defined in a certificate template which may be managed using the Certificate Templates MMC snap-in.

  • To add an issuance (signature) requirement to a certificate template, open the template and click the Issuance Requirements tab.

    To add a signature or issuance requirement, select the This number of authorized signatures check box and add the appropriate number in the following number field (Figure 18).

    Now you may add specific requirements for the signing certificate.

    c9b653e7-acbd-4ed6-80b7-1fec6eae9f19Figure 18: Setting the Number of Authorized Signatures

The previous setting is a useful configuration for customers who want to manually enroll users for smart cards with an enrollment station. Then they can supersede the original template with a new template with the previous settings to allow automatic renewal through the autoenrollment process, which will require the user to sign the renewal request with the old certificate.

Additional Self RA Example: You could add the Application Policy for a smart card logon certificate that would be used to enroll for an EFS certificate. This would mandate that users sign their request for an autoenrolled EFS certificate with a valid smart card certificate. The user would then be prompted to insert a smart card and enter a PIN when autoenrollment was activated for the EFS certificate.

Superseding Certificate Templates

Certificate autoenrollment also supports the concept of superseding a template or a previously enrolled certificate. Superseding a template allows an administrator to re-enroll, change, or combine previously issued certificate enrollments into a new certificate enrollment. Autoenrollment always examines existing certificates in the users store and determines if the template used in the issued certificate has been superseded. If a certificate template has been superseded, the user will automatically be enrolled with the new template, and the old certificates will be deleted or archived depending on the template setting.

Benefits

Superseding certificate templates is especially useful in the following scenarios.

  • Changing certificate lifetime

  • Increasing key size

  • Adding extended key usage or application policies

  • Correcting enrollment policy errors

  • Updating users from version 1 templates to version 2 templates

To create or modify a template to supersede an existing certificate

  1. Open the Properties of the template to take precedence, click the Superseded Templates tab (Figure 20), and then click Add.

  2. Select the template you want to supersede (Figure 19), and then click OK.

    6a4e3a4e-d40b-4ffe-b560-3ab5e7d8dca2Figure 19: Selecting a Template to Supersede

  3. The template will be added to the Superseded Templates tab (Figure 20). If you wish to add additional templates that should be superseded with this new template, click Add and repeat. Otherwise, click OK.

    801df69c-4e20-4b37-bd4c-ee681d79ce58Figure 20: Listing Superseded Templates

Note

Superseding a certificate always generates a new private key for the user or machine.