Deploying Certificate Templates

Applies To: Windows Server 2008

After creating a new certificate template, the next step is to deploy the certificate template so that a certification authority (CA) can issue certificates based on it. Deployment includes publishing the certificate template to one or more CAs, defining which security principals have Enroll permissions for the certificate template, and deciding whether to configure autoenrollment for the certificate template.

Best Practices for Deploying Certificate Templates

When planning a certificate template deployment, use the following best practices:

  • Do not delete the Certificate Publishers security group.

    The Certificate Publishers security group contains each CA's computer account and is used when publishing certificate templates to Active Directory® Domain Services (AD DS). If this group is removed, the CA may not publish certificates to AD DS correctly. To avoid this, the group should not be deleted and its membership should not be modified.

  • Add the CA computer accounts to every Certificate Publishers group.

    The Certificate Publishers group is a domain local group that exists in every domain in the forest. In each domain, all CA computer accounts should be added to the Certificate Publishers group.

  • Do not exceed the certificate lifetime of the issuing CA.

    Certificate lifetimes are a subset of the CA's certificate lifetime. All certificates, including the CA certificate, have an expiration date after which they are no longer valid. As a result, a certificate cannot be issued with a lifetime that exceeds the lifetime of the issuing CA. Issuing such a certificate would allow it to be valid for longer than the issuing CA certificate, which violates certificate chaining rules. A CA will therefore continue to issue certificates until the CA's certificate expires or until the requested template's renewal period is greater than the CA's certificate remaining lifetime. If a certificate template requires a lifetime greater than the lifetime of the CA certificate, the validity period of the issued certificate is truncated to the amount of time left in the lifetime of the CA certificate.

  • Plan certificate templates before deployment.

    Certificates can be issued to subjects in many ways, including manual enrollment, autoenrollment, and Web enrollment. In addition, there are many certificate strategies, including issuing one all-inclusive certificate to all subjects and issuing several application-specific certificates to subjects as needed. Because there are so many options, planning should be done well in advance of certificate deployment.

  • Upgrade the Active Directory schema to Windows Server® 2003 before upgrading CAs from Microsoft Windows® 2000 Server.

    A Windows 2000 Server domain must be upgraded to the Windows Server 2003 schema to support certain features of the enterprise CA, including version 2 and 3 certificate templates, delta certificate revocation lists (CRLs), and key archival and recovery.

  • Duplicate new templates from existing templates closest in function to the intended template.

    New certificate templates are duplicated from existing templates. Many settings are copied from the original template. Because of this, duplicating one template to another of a totally different type may carry over some unintended settings. When duplicating a template, examine the subject type of the original template and ensure that you duplicate one that has a similar function to that of the intended template. Although most settings for certificate templates can be edited once the template is duplicated, the subject type cannot be changed.

  • Determine publication points for certificate templates.

    Determine which CAs will issue specific certificate templates based on both the administration model implemented by the organization and the usage of the certificate template. For example, if the administration model is a project-based management model, it would be appropriate to only assign the certificate template to CAs associated with the project. However, if the certificate template is widely used throughout the organization, it may be appropriate to have all CAs issue the certificate template to provide fault tolerance if a CA is unavailable.

  • Minimize the number of issued certificates.

    Consider using multipurpose certificates that can be used for more than one function rather than issuing separate certificates for each function. This reduces the number of issued certificates and reduces the complexity when a user must select which certificate to present to an application.

Publishing Certificate Templates

Once a certificate template is created in the Certificate Templates snap-in and has replicated to all domain controllers in the forest, it can now be published for deployment. The main decision in publishing certificate templates is deciding which CA or CAs will issue the certificates based on this certificate template.

Note

Remember that version 2 and 3 certificate templates can only be issued by enterprise CAs running on Windows Server 2008 Enterprise, Windows Server 2008 Datacenter, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition.

An enterprise CA can only issue certificates based on certificate templates that exist in the Certificate Templates container in the Certification Authority snap-in shown in the following figure.

Permission Design

Certificate templates are published to the Configuration naming context, which is stored on every domain controller in the forest in the path: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.

Each certificate template exists as an object in the Configuration naming context and has an associated discretionary access control list (DACL), which defines the specific operations a security principal can perform with the certificate.

Use the following recommendations for permissions assignments:

  • Assign permissions only to global groups or to universal groups. It is not recommended to assign permissions to domain local groups. Domain local groups are only recognized in the domain where they exist, and assigning permissions to them can result in inconsistent application of permissions. You should not assign permissions directly to an individual user or computer account.

  • To enable autoenrollment, a user or computer must belong to domain groups that are granted Read, Enroll, and Autoenroll permissions.

  • To enable enrollment through the Certificates snap-in, Web-based enrollment, or automatic renewal, assign Read and Enroll permissions to either domain or universal groups.

  • For certificate renewal, a user or computer must belong to a domain security group with Read and Enroll permissions. This is true whether the certificate is manually renewed or the renewal is implemented by using autoenrollment.

  • Restrict Write and Full Control permissions to CA managers to ensure that the templates are not improperly configured.

Autoenrollment Considerations

Autoenrollment allows a CA administrator to configure users and computers to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The autoenrollment process can be configured to function as a background task that does not require any user input.

To properly configure subject autoenrollment, the administrator must plan the configuration of the certificate template that will use autoenrollment. Several settings in the certificate template directly affect the behavior of subject autoenrollment, as follows:

  • Require user input for autoenrollment.

    On the Request Handling tab of the desired certificate template, the Require user input for auto-enrollment check box changes the behavior of autoenrollment. When this check box is selected, subjects are prompted for any necessary information for obtaining or renewing a certificate. When this check box is cleared, autoenrollment operates without any notice to the subject.

Note

Because smart cards must prompt the user for their personal identification number (PIN), this check box must be selected when a smart card cryptographic service provider (CSP) is selected.

  • Limit the number of CSPs for an autoenrollment certificate template.

    If more than one smart card provider—either CryptoAPI or Cryptography Next Generation (CNG)—is selected on the Request Handling or Cryptography tab, more than one dialog box might appear when a Windows XP or Windows Vista® client computer retrieves the autoenrolled certificate and begins to install it on the smart card. Only one provider should be selected from this list for each template.

  • Do not enable subject creation based on request information.

    If the Supply in the request option is enabled on the Subject Name tab, autoenrollment is disabled. This is because enabling the option prompts the subject to interactively create the subject name in the request, which will not work with autoenrollment.

  • Do not require more than one authorized signature for issuance.

    Configuring more than one authorized signature in the Issuance Requirements tab of the desired certificate template disables subject autoenrollment based on this template. If the authorized signatures value is set to 1, the requester must sign the request with a private key from a valid certificate in the requester's certificate store. This certificate must contain the application policy, issuance policies, or both, specified in the Application policy and Issuance policies lists on the same tab. If an appropriate certificate exists in the requester's certificate store, autoenrollment signs the request with this certificate's private key and will obtain and install the requested certificate automatically. For example, to increase the security for Encrypting File System (EFS) certificate distribution, you can create a version 2 or 3 certificate template that requires the Smart Card Logon object identifier (1.3.6.1.4.1.311.20.2.2) in the signing certificate's application policy.

    On the Issuance Requirements tab of the desired certificate template, the Valid existing certificate option may affect subject autoenrollment. If this option is selected, the subject does not need to meet issuance requirements when renewing a valid certificate. Subjects who may have been unable to autoenroll for the initial certificate may be able to use autoenrollment to renew that certificate. For example, a user whose distinguished name has changed may still autoenroll a certificate based on an existing valid certificate, rather than on the user's new credentials.

Note

For more information about template properties see Administering Certificate Templates.

For more information about configuring autoenrollment, see Certificate Autoenrollment in Windows Server 2003 (https://go.microsoft.com/fwlink/?LinkId=115032).

Configuring Permissions for a Certificate Template

This section provides the procedures for defining permissions for specific certificate templates and delegating permission for the management of certificate templates.

Note

To perform the following procedures, you must be logged on as a member of the Enterprise Admins group, a member of the forest root domain's Domain Admins group, or as a user who has been granted permission to perform the task.

To define permissions to allow a specific security principal to enroll for certificates based on a certificate template

  1. Open the Certificate Templates snap-in (Certtmpl.msc).

  2. In the details pane, right-click the certificate template you want to change, and then click Properties.

  3. On the Security tab, ensure that Authenticated users is assigned Read permissions.

    This ensures that all authenticated users on the network can see the certificate templates.

  4. On the Security tab, click Add. Add a global group or universal group that contains all security principals requiring Enroll permissions for the certificate template, and then click OK.

  5. On the Security tab, select the newly added security group, and then assign Allow for the Read and Enroll permissions.

  6. Click OK.

To define permissions to allow a specific security principal to autoenroll for certificates based on a certificate template

  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template you want to change, and then click Properties.

  3. On the Security tab, click Add. Add a global group or universal group that contains all security principals requiring Enroll permissions for the certificate template, and then click OK.

  4. On the Security tab, select the newly added security group, and then assign Allow for the Read, Enroll, and Autoenroll permissions.

  5. Click Apply.

Publishing a Certificate Template

The final task for publishing a certificate template is to select the template you want the CA to issue.

To define which certificate templates are issued by a CA

  1. In Administrative Tools, click Certification Authority.

  2. In the console tree, expand CAName (where CAName is the name of your enterprise CA).

  3. In the console tree, select the Certificate Templates container.

Note

In a Windows 2000 Server–based CA, the container is named Policy Settings.

  1. Right-click Certificate Templates, and then click New, Certificate Template to Issue.

  2. In the Enable Certificate Templates dialog box, select the certificate template or templates that you want the CA to issue, and then click OK.

Note

If a certificate template is not listed in the Enable Certificate Templates dialog box, the CA is either already configured to issue the certificate template, or replication of the certificate template is not completed to all domain controllers in the forest.

The newly selected certificate template or templates will appear in the details pane.

Removing a Certificate Template from a CA

Removing a certificate template only removes the association between a certificate and a CA instead of deleting it from the certificate template store.

To remove a certificate template from the certificate templates currently issued by a CA

  1. In Administrative Tools, click Certification Authority.

  2. In the console tree, expand CAName (where CAName is the name of your enterprise CA).

  3. In the console tree, select the Certificate Templates container.

Note

In a Windows 2000 Server–based CA, the container is named Policy Settings.

  1. In the details pane, right-click the certificate template you want to remove from the CA, and then click Delete.

  2. In the Disable Certificate Templates dialog box, click Yes.

    The certificate template no longer appears in the details pane.