Configure the Web Server certificate template
Updated: October 7, 2009
Applies To: Windows 7, Windows Server 2008 R2
You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for computer certificates that are enrolled to hosted cache server computers.
Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.
To configure the certificate template and autoenrollment
On the computer where AD CS is installed, click Start, click Run, type mmc, and then click OK.
On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens.
In the Add or Remove Snap-ins dialog box, in Available snap-ins, double-click Certification Authority. Select the CA that you want to manage, and then click Finish. The Certification Authority dialog box closes, returning you to the Add or Remove Snap-ins dialog box.
In Available snap-ins, double-click Certificate Templates, and then click OK.
In the console tree, click the Certificate Templates snap-in. All of the certificate templates are displayed in the details pane.
In the details pane, click the Web Server template.
On the Action menu, click Duplicate Template. In the Duplicate Template dialog box, select the template version that is appropriate for your deployment. For client and server interoperability reasons, it is recommended that you select Windows Server 2003 Enterprise.
Click OK. The Properties dialog box for the certificate template opens.
On the General tab, in Display Name, type a new name for the certificate template or keep the default name, Copy of Web Server.
Click the Subject Name tab. Ensure that Build from this Active Directory information is selected. In Subject name format, select DNS name.
Click the Request Handling tab. For Minimum key size, determine the best key character length for your deployment. Large key character lengths provide optimal security, but they can impact server performance. It is recommended that you keep the default setting of 2048 or, if you deem it appropriate for your deployment, reduce Minimum key size to 1024.
Click the Security tab. In Group or user names, click Add. The Select Users, Computers, Service Accounts, or Groups dialog box opens.
In Select Users, Computers, Service Accounts, or Groups, type the name of the group that you created for your hosted cache servers, and then click OK. For example, type Hosted Cache Servers.
In Properties of New Template, in Group or User Names, click the name of the group you just added. For example, if your group is named Hosted Cache Servers, click that group.
In Properties of New Template, in Permissions for Hosted Cache Servers, under Allow, select the Enroll and Autoenroll permission check boxes, and then click OK. Note: If your group name is not Hosted Cache Servers, this section of the dialog box is named Permissions for Group Name, where Group Name is the name of the hosted cache servers group that you created.
In the left pane of the Microsoft Management Console (MMC), double-click Certification Authority, double-click the CA name, and then click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens.
Click the name of the certificate template you just configured, and then click OK. For example, if you did not change the default certificate template name, click Copy of Web Server, and then click OK.