Selecting Certificate Templates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The certificate services that you deploy and the security requirements that are specific to your organization impact the types of certificates that you issue. You can issue multiple types of certificates to meet a variety of security requirements.

The certificate templates available with an enterprise CA in Windows Server 2000 and Windows Server 2003 provide the default contents of all certificates that can be requested from a Windows enterprise CA. These certificate templates are stored in Active Directory and cannot be used with stand-alone CAs.

Certificate templates can serve a single purpose or multiple purposes. Single-purpose templates generate certificates that can be used for a single application. For example, the Smart Card Logon certificate template is designed for smart card logon only. Multipurpose templates generate certificates that can be used for a number of applications, such as Secure Sockets Layer (SSL), S/MIME, and EFS. For example, a user certificate can be used for both user authentication and EFS encryption.

Both Windows 2000 and Windows Server 2003 support single-purpose and multipurpose templates. However, Windows 2000 and Windows Server 2003 Standard Edition only support version 1 templates, which have read-only attributes that cannot be customized or extended. Windows Server 2003, Enterprise Edition supports version 2 templates, which allow you to create new certificate templates, clone an existing template, and replace templates that are already in use.

Important

  • If you are already using version 1 templates, you can upgrade them to version 2 templates. However, the domain admins in your top level domain must have full access control permissions on the version 1 templates in order to complete this upgrade. Domain administrators do not need to have full access control over the templates after the upgrade has been completed.

Both version 1 and version 2 certificate templates include the following information:

  • Intended user of the certificate.

  • CA that issued the certificate.

  • Serial number that uniquely identifies each certificate.

  • Public key value for the user identified in the subject field.

  • Validity period of the certificate.

  • Extensions, if any, which apply to the certificate, includingadditional information that can define certificate purposes, restrictions, and management.

  • Digital signature of the CA, which verifies the relationship of the certificate to the issuing CA.

    Note

    • You can also create your own certificate templates.

Before the certificates are issued, you need to determine the following critical information:

  • Certificate key length

  • Certificate validity period

  • Optional certificate extensions

    Note

    • Certificate templates, in conjunction with the CA policy module, allow you to define certificate policy for CA certificates.

In addition, version 2 templates allow you to configure the following:

  • Customized enrollment policies

  • Policies related to validity periods

  • Policies related to application usage

  • Policies related to key usage

  • Policies related to key archiving

  • Certificate authorization

  • Domain authentication

  • Certificate administrators

  • Signed enrollment agents

  • Key creation

  • Key and CSP types

  • Certificate contents

Important

  • You must upgrade the schema in an Active Directory forest to Windows Server 2003 in order to support version 2 templates. You do not need to upgrade all domain controllers to Windows Server 2003 to perform a schema upgrade.

Certificate templates can only be used when the server that is running Certificate Services is an enterprise CA. Enterprise CAs can issue a variety of certificate types based on the templates. You can configure each enterprise CA to issue only specific types of certificates. Table 16.6 lists the different types of version 1 certificate templates that are available, and the purposes for each.

Table 16.6   Version 1 Certificate Templates

Certificate template name Certificate purposes Issued to

Administrator

Code signing, Microsoft trust list signing, EFS, secure e-mail, client authentication

Users

Authenticated Session

Client authentication

Users

Basic EFS

Encrypting File System

Users

CEP Encryption

Act as a registration authority

Users

Code Signing

Code signing

Users

Domain Controller

Client authentication, server authentication

Computers

EFS Recovery Agent

File recovery

Users

Enrollment Agent (Computer)

Certificate request agent

Computers

Exchange Enrollment Agent (Offline Request)

Certificate request agent

Users

Exchange User Signature

Secure e-mail, client authentication

Users

Exchange User

Secure e-mail, client authentication

Users

IPSEC

IP Security

Computers

IPSEC (offline request)

IP Security

Computers

Root Certification Authority

Identify the root CA

Computers

Router

Client authentication

Computers/routers

Smartcard Logon

Client authentication

Users

Smartcard User

Client authentication, secure e-mail

Users

Subordinate CA

All

Computers

Trust List Signing

Microsoft trust list signing

Users

User

Authentication, secure e-mail, and EFS

Users

User Signature

Secure e-mail, client authentication

Users

WebServer

Server authentication

Computers

Table 16.7 lists the version 2 certificate templates that are available in Windows Server 2003 Advanced Server and the purposes for each.

Table 16.7   Version 2 Certificate Templates

Certificate template name Certificate purposes Issued to

CA Exchange

CA encryption

Computer

Cross certification authority

Qualified subordination

Computer

Directory E-mail Replication

Directory replication

Users

Domain Controller Authentication

Client authentication, server authentication

Users

Key Recovery Agent

Key recovery

Users

Note

  • When you select and modify templates, create function-based names for the templates, such as domainA_e-mail or legal_signing. Function-based names help users to select the appropriate certificate for the task that they need to perform.

Delegating Administration of Certificate Templates

Although the majority of CA-related tasks are performed by administering the CA itself, certain tasks, including the administration of certificate templates, are controlled through Active Directory.

To delegate the administration of certificate templates:

  • Right-click the Certificate Templates node in the Certification Authority snap-in and select Manage.

  • Double click a certificate template.

  • Under the Security tab, check the Allow boxes for the Read and Write permissions.

For more information about certificate templates, see Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at https://www.microsoft.com/reskit).