Certificate Templates Appendixes

Applies To: Windows Server 2008

This document includes the following appendixes:

Wireless Certificates

Certificate Templates Schema

References

Wireless Certificates

Windows® XP introduced native support for 802.1X and wireless networks. To enable strong security, both users and computers need authentication certificates to authenticate to a RADIUS authorization point. Microsoft Windows 2000 Server–based certification authorities (CAs) support 802.1X certificate requirements for computers with the version 1 computer certificate template and user certificates with any of the certificate templates that contain the Client Authentication enhanced key usage. If version 2 or 3 templates are used for computer autoenrollment, it is important to configure the certificate template properly. When the computer template is cloned to a new template, the administrator must ensure that the DNS name is included in the subject name of the certificate. The Windows XP and Windows Vista® wireless client computers require the DNS name of the computer to be contained in the subject for proper usage and authentication to the RADIUS server.

Important

If the DNS fully qualified domain name (FQDN) is longer than 64 characters, the name will be truncated during certificate enrollment and the name will not be valid for wireless authentication.

For more information, see Wireless Networking in Windows Vista (https://go.microsoft.com/fwlink/?LinkID=89054).

Certificate Templates Schema

The Certificate Templates container contains the certificate templates that are defined within an Active Directory® forest. Each certificate template is a member of the class pKICertificate. Each certificate template is managed by using the Certificate Templates snap-in and is stored in the following location in the Configuration naming context: CN=TemplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.

Version 1 Certificate Template Attributes

The following version 1 certificate template attributes are defined in the Active Directory schema.

Attribute Description

Cn

Common name of the certificate type

distinguishedName

Distinguished name of the certificate type

displayName

Display name of a certificate type

pKIExtendedKeyUsage

Array of extended key usage object identifiers

pKIDefaultCSPs

Default cryptography service provider (CSP) list; DWORD value, CSP name

pKICriticalExtensions

List of critical extensions

revision

Major version of the templates

templateDescription

Obsolete attribute

flags

General enrollment flags

pKIDefaultKeySpec

Specifications of the default key length and construct

NTSecurityDescriptor

Security descriptor name

pKIKeyUsage

Key usage extension

pKIMaxIssuingDepth

Basic constraints; DWORD value

pKIExpirationPeriod

Validity period; negative FILETIME value

pKIOverlapPeriod

Renewal period; negative FILETIME value

Versions 2 and 3 Certificate Template Attributes

The following certificate template attributes defined in the Active Directory schema are applicable to template versions 2 and 3.

Attribute Description

msPKI-Template-Schema-Version

Schema version of the templates

msPKI-Template-Minor-Revision

Minor version of the templates

msPKI-RA-Signature

Number of registration authority signatures required on a request referencing this template

msPKI-Minimal-Key-Size

Minimal key size required

msPKI-Template-Cert-Template-OID

Object identifier of this template

msPKI-Supersede-Templates

Name of the template that this template supersedes

msPKI-RA-Policies

Object identifiers required for the registration authority issuer policy

msPKI-RA-Application-Policies

Object identifiers required for the registration authority application policy

msPKI-Certificate-Policy

The certificate issuer policy object identifiers that are placed in the OID_CERT_POLICIES extension by the policy module

msPKI-Certificate-Application-Policy

Certificate application policy object identifiers

msPKI-Enrollment-Flag

Enrollment flags

msPKI-Private-Key-Flag

Private key flags

msPKI-Certificate-Name-Flag

Subject name flags

Flags

The following enrollment flags are defined in the Active Directory schema.

Attribute Description

CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS

  • 0x00000001

Include the Secure/Multipurpose Internet Mail Extensions (S/MIME) symmetric algorithms in the requests.

CT_FLAG_PEND_ALL_REQUESTS

  • 0x00000002

All certificate requests are set to pending.

CT_FLAG_PUBLISH_TO_KRA_CONTAINER

  • 0x00000004

Publish the certificate to the KRA container in Active Directory Domain Services (AD DS).

CT_FLAG_PUBLISH_TO_DS

  • 0x00000008

Publish the resultant certificate to the userCertificate property on the user object in AD DS.

CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE

  • 0x00000010

The autoenrollment client computer will not enroll for a new certificate if the user has a certificate previously published to the userCertificate property in AD DS with the same template name.

CT_FLAG_AUTO_ENROLLMENT

  • 0x00000020

This certificate is appropriate for autoenrollment.

CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT

  • 0x00000040

A previously issued certificate will validate subsequent enrollment requests.

CT_FLAG_DOMAIN_AUTHENTICATION_NOT_REQUIRED

  • 0x00000080

This flag is obsolete.

CT_FLAG_USER_INTERACTION_REQUIRED

  • 0x00000100

User interaction is required to enroll by using autoenrollment.

CT_FLAG_ADD_TEMPLATE_NAME

  • 0x00000200

This flag is obsolete.

CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE

  • 0x00000400

Remove an expired or revoked certificate from the personal store on the local client computer during autoenrollment.

The following subject name flags are defined in the Active Directory schema.

Attribute Description

CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT

  • 0x00000001

The enrolling application must supply the subject name in the request.

CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME

  • 0x00010000

The enrolling application must supply the alternate subject name in the request.

CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH

  • 0x80000000

The subject name must be the distinguished name based on the Active Directory path.

CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME

  • 0x40000000

The subject name must be the common name.

CT_FLAG_SUBJECT_REQUIRE_EMAIL

  • 0x20000000

The subject name must include the e-mail name.

CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN

  • 0x10000000

The subject name must include the DNS name as the common name.

CT_FLAG_SUBJECT_ALT_REQUIRE_DNS

  • 0x08000000

The alternate subject name must include the DNS name.

CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL

  • 0x04000000

The alternate subject name must include the e-mail name.

CT_FLAG_SUBJECT_ALT_REQUIRE_UPN

  • 0x02000000

The alternate subject name requires the user principal name (UPN).

CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID

  • 0x01000000

The alternate subject name requires the directory globally unique identifier (GUID) that is used by domain controllers.

CT_FLAG_SUBJECT_ALT_REQUIRE_SPN

  • 0x00800000

The alternate subject name requires the service principal name (SPN).

The following template private key flags are defined in the Active Directory schema.

Attribute Description

CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL

  • 0x00000001

Archival of the private key is allowed or required.

CT_FLAG_EXPORTABLE_KEY

  • 0x00000010

The private key is marked as exportable.

The following template general flags are defined in the Active Directory schema.

Attribute Description

CT_FLAG_MACHINE_TYPE

  • 0x00000040

Computer certificate type

CT_FLAG_IS_CA

  • 0x00000080

CA certificate type

CT_FLAG_IS_CROSS_CA

  • 0x00000800

Cross-certified CA certificate type

CT_FLAG_IS_DEFAULT

  • 0x00010000

Default certificate type that is set on all version 1 templates that cannot be changed

CT_FLAG_IS_MODIFIED

  • 0x00020000

The type has been modified (read-only)

CT_MASK_SETTABLE_FLAGS

  • 0x0000ffff

Obsolete

References