Certificate Template Overview
Applies To: Windows Server 2003 with SP1
Windows 2000 introduced the concept of using certificate templates to define the format and content of a certificate. Certificate templates are used by Windows 2000 Enterprise CAs to define what certificates can be issued by the Windows 2000 Enterprise CAs. Associated with the certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read, enroll, and configure the certificate template. Enterprise CAs are integrated into Active Directory. The certificate templates and the DACLs of the certificate template objects are defined in Active Directory with a forest-wide validity. If more than one Enterprise CA is running in the Windows forest, permission changes would have an impact on all Enterprise CAs.
The certificate templates used by Windows 2000 Enterprise CAs are known as version 1 certificate templates. Windows 2000 shipped with a number of predefined version 1 certificate templates, but modification of these default certificate templates is not allowed. The only modification that is enabled is the changing of permissions to allow enrollment of the certificate template. The version 1 certificate templates are created by default when an Enterprise CA is installed.
Windows Server 2003 extends certificate templates by introducing version 2 templates. Version 2 templates allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration and more can be added as necessary. This allows complete configuration flexibility for administrators. Alternatively, a version 1 certificate template can be duplicated, resulting in a version 2 certificate template that can be modified and secured separately.
Note
Similar to Windows 2000, Windows Server 2003 supports only version 1 templates. Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition support both version 1 and version 2 templates. Certificates based on version 2 templates can only be issued by an Enterprise CA running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.
When a certificate template is defined, the definition of the certificate template must be available to all CAs in the forest. This is accomplished by storing the certificate template information in the Configuration naming context (CN=Configuration,DC=ForestRootName). The replication of this information depends on the Active Directory replication schedule, and the certificate template may not be available at all CAs until replication is completed. This storage and replication is accomplished automatically by Windows Server 2003 family computers.
Requirements
To set up a Windows Server 2003 CA, the Active Directory schema must be upgraded to the Windows Server 2003 schema. You cannot install a Windows Server 2003 CA into a Windows 2000based schema.
The schema is updated to the Windows Server 2003 schema by running ADPREP /Forestprep at a Windows 2000 domain controller with the Windows Server 2003 CD-ROM in the CD-ROM drive.
Upgrading from Version 1 to Version 2 Certificate Templates
When you install Windows Server 2003 CA into a Windows Server 2003based Active Directory, the current certificate templates are updated during the upgrade process. The update modifies default settings for the Windows 2000 version 1 certificate templates that implement better security defaults. If a Windows Server 2003, Enterprise Edition CA is installed in addition several, version 2 certificate templates are created.
The upgrade process of an Enterprise CA must be performed by an account that is a member of the forest root Domain Admins group and the Enterprise Admins universal group. This is because the upgrade makes modifications to the Configuration naming context in Active Directory. Specifically, the account performing the upgrade must have the following permissions through group memberships (these are the default permissions):
Full control permissions over the CN=Certificate Templates, CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain" container
Full control permissions over the CN=OID,CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain container
Full Control permissions for each certificate template object in the CN=Certificate Templates, CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain" container
Note
Delegation over the Certificate Templates container will have no effect on individual certificate templates. In other words, the ACL on certificate templates is not inherited from the ACL on the container.
To upgrade the certificate templates, perform the following procedure after the upgrade for a Certification Authority to Windows Server 2003 or the installation of a new Windows Server 2003 CA on the network:
Upgrade to the Windows Server 2003 schema.
Log on as a user account that is a member of the forest root Domain Admins group and the Enterprise Admins group.
At a Windows Server 2003, Enterprise Edition CA (the CA can be running on Windows Server 2003, Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition configured as a member-server or Domain Controller), run the Certificate Templates MMC console (certtmpl.msc).
Note
Alternatively, the Certificate Templates MMC console can be run from a Windows XP Professional computer with the Windows Server 2003 Administration Pack (Adminpak.msi) installed. The same permissions apply as noted previously.
When prompted to write new certificate templates, click OK.
To verify that the upgrade is successful, open the Certificate Templates MMC console and confirm that there are 29 certificate templates. The Version # of templates should all exist and be in the format of xxx.xxx, for example, 100.2. Version 1 certificate templates use a single digit for the primary version number, for example, the Administrator certificate template version number is 3.1. Version 2 certificate template primary version numbers are three digits in length. For example, the Key Recovery Certificate Template version number is 105.0.
Note
An upgrade of the certificate templates is performed run if a new Windows Server 2003 CA is installed in the forest. If a Windows 2000 CA is upgraded to Windows Server 2003, the template upgrade is not performed automatically and will only be performed when the certificate templates MMC snap-in is opened for the first time. You can still verify that the update has taken place, but the process is performed automatically.
Default Templates
Once the upgrade to Windows Server 2003 certificate templates is completed, the following preconfigured certificate templates are listed in the Certificate Templates MMC console.
| Name | Description | Key Usage | Subject Type | Published to AD |
|---|---|---|---|---|
Administrator |
Allows trust list signing and user authentication |
Signature and encryption |
User |
Yes |
Authenticated Session |
Subject can authenticate to a Web server |
Signature |
User |
No |
Basic EFS |
Used by Encrypting File System (EFS) to encrypt data |
Encryption |
User |
Yes |
CA Exchange |
Used to store keys that are configured for private key archival |
Encryption |
Computer |
No |
CEP Encryption |
Allows the holder to act as a registration authority (RA) for simple certificate enrollment protocol (SCEP) requests |
Encryption |
Computer |
No |
Code Signing |
Used to digitally sign software |
Signature |
User |
No |
Computer |
Allows a computer to authenticate itself on the network |
Signature and encryption |
Computer |
No |
Cross-Certification Authority |
Used in cross-certification and qualified subordination |
Signature |
CrossCA |
Yes |
Directory E-mail Replication |
Used to replicate e-mail within Active Directory |
Signature and encryption |
DirEmailRep |
Yes |
Domain Controller |
All-purpose certificates held by domain controllers |
Signature and encryption |
DirEmailRep |
Yes |
Domain Controller Authentication |
Used to authenticate Active Directory computers and users |
Signature and encryption |
Computer |
No |
EFS Recovery Agent |
Allows the subject to decrypt files previously encrypted with EFS |
Encryption |
User |
No |
Enrollment Agent |
Used to request certificates on behalf of another subject |
Signature |
User |
No |
Enrollment Agent (Computer) |
Used to request certificates on behalf of another computer subject |
Signature |
Computer |
No |
Exchange Enrollment Agent (Offline request) |
Used to request certificates on behalf of another subject and supply the subject name in the request |
Signature |
User |
No |
Exchange Signature Only |
Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for digitally signing e-mail |
Signature |
User |
No |
Exchange User |
Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for encrypting e-mail |
Encryption |
User |
Yes |
IPSEC |
Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication |
Signature and encryption |
Computer |
No |
IPSEC (Offline request) |
Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request |
Signature and encryption |
Computer |
No |
Key Recovery Agent |
This certificate can recover private keys archived on the certification authority. |
Encryption |
KRA |
Yes |
Root Certification Authority |
Used to prove the identity of the root certification authority |
Signature |
CA |
Yes |
| Name | Description | Key Usage | Subject Type | Published to AD | Template Version |
|---|---|---|---|---|---|
Router (Offline request) |
Used by a router when requested through SCEP from a CA that holds a CEP Encryption certificate |
Signature and encryption |
Computer |
No |
3.1 |
Smartcard Logon |
Allows the holder to authenticate using a smart card |
Signature and encryption |
User |
No |
5.1 |
Smartcard User |
Allows the holder to authenticate and protect e-mail using a smart card |
Signature and encryption |
User |
Yes |
9.1 |
Subordinate Certification Authority |
Used to prove the identity of the root certification authority, issued by the parent or root certification authority |
Signature |
CA |
Yes |
4.1 |
Trust List Signing |
The holder can digitally sign a trust list. |
Signature |
User |
No |
2.1 |
User |
Certificate to be used by users for e-mail, EFS, and client authentication |
Signature and encryption |
User |
Yes |
2.1 |
User Signature Only |
Allows users to digitally sign data |
Signature |
User |
No |
3.1 |
Web Server |
Proves the identity of a Web server |
Signature and encryption |
Computer |
No |
3.1 |