Controlling enrollment access to certificate templates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Controlling enrollment access to certificate templates

Certificate templates are published on a server. Each contains an access control list (ACL) which defines what specific operations a subject can do with the certificate.

Setting Description

Full Control

The selected group or user can perform any action on this template.

Read

The selected group or user can read this template.

Write

The selected group or user can modify this template.

Enroll

The selected group or user can submit a certificate issuance or renewal request based on this template.

Autoenroll

The selected group or user can submit a certificate request based on this template by way of autoenrollment. This option will not work unless the Enroll option is also selected.

The most common use of certificates is for subject enrollment with autoenrollment permitted. In this case, the subject must be granted Read, Enroll and Autoenroll permissions. If autoenrollment is not wanted but manual or Web-based enrollment is, granting the Read and Enroll permissions is appropriate. When subjects already hold a certificate, they only need Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not.

Write and Full Control permissions should be restricted to CA managers to ensure the templates are not improperly configured.