Lesson 2: Managing Certificate Templates

 < Day Day Up > 

Large organizations might issue thousands of certificates to users and computers. If you had to provide the configuration settings for each one manually, you could spend all day issuing certificates-and you would probably make a large number of mistakes. Fortunately, you can use certificate templates to simplify the process of creating certificates and to ensure that they are created consistently across an organization.

If you are familiar with certificate templates in Microsoft Windows 2000, you will be pleasantly pleased with the new features available in version 2 certificate templates in Windows Server 2003. Most notably, you now have the ability to combine multiple functions into a single template. You can even remove yourself entirely from the certificate enrollment process and configure templates to install automatically for a computer or user. These capabilities reduce the amount of administration needed to maintain a PKI, and reduce the total number of certificates users and computers need, thereby reducing costs and saving you time.

After this lesson, you will be able to

  • Determine the purpose of digital certificates.

  • Explain what happens when certificates expire or are revoked and renewed.

  • Select digital certificate templates that correspond to the needs of an organization.

  • Determine the uses and roles of certificate templates.

  • Set appropriate permissions on certificate templates.

  • Modify and supersede certificate templates.

Estimated lesson time: 45 minutes

Overview of Certificate Templates

Certificate templates are the sets of rules and settings that define the format and content of a certificate based on the certificate's intended use. Certificate templates also provide the client with instructions on how to create and submit a valid certificate request. In addition, certificate templates define which security principals are allowed to read, enroll, or autoenroll for certificates based on that template. Certificate templates are configured on a CA and are applied against the incoming certificate requests.

When deploying certificates in an organization, you should customize each template for its intended use. For example, there are default certificate templates for users, computers, Encrypting File System (EFS), and code signing. The type of certificate template that you should use in your organization depends on your security requirements and your PKI applications. You can issue multiple types of certificates to meet a variety of security or application requirements and create your own certificates to meet the needs of your organization.

Only enterprise CAs can issue certificates based on certificate templates. When a certificate template is defined, this definition must be available to all CAs in the forest. You can make the definition available by publishing the template in Active Directory and letting the Active Directory replication engine replicate the published template. The replication of the certificate template in the forest depends upon the Active Directory replication schedule, and the certificate template might not be available at all CAs until replication is completed.

To ensure distribution of the certificate template's definition, the certificate template information is stored in Active Directory. Normally, you will use the Certificate Templates snap-in to view and edit templates; however, you can also use the ADSIEdit snap-in to view and modify the Active Directory objects directly. The templates are located in the CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootNameDN container (where ForestRootNameDN is the LDAP distinguished name of the forest root domain), as shown in Figure 7.6.

click to expand
Figure 7.6: Certificate template location

Associated with every certificate template is an access control list (ACL) that defines which security principals have permissions to read, enroll, autoenroll, or modify the certificate template. You can set permissions on the certificate templates by using the Certificate Templates snap-in. Permissions are discussed in more detail later in this lesson.

Certificate Template Versions

Windows Server 2003 supports two types of certificate templates: version 1 and version 2. Version 1 templates provide backward compatibility for servers running Windows 2000 family operating systems. Version 1 templates have a major limitation, however: the information they contain is hard-coded in the certificate. You cannot modify certificate template properties, such as certificate lifetime and key size. Version 2 certificate templates address some of these limitations.

When the first enterprise CA is installed in a forest, version 1 templates are created by default. Unlike version 2 templates, these cannot be modified or removed, but they can be duplicated. When you duplicate a version 1 template, you create a version 2 template. Version 1 templates provide a certificate solution as soon as the CA is installed because they support many general needs for subject certification. For example, there are certificates that allow EFS encryption recovery, client authentication, smart card logon, and server authentication.

Because version 1 certificate templates can be used by both Windows 2000 and Windows XP clients, Windows Server 2003 Certificate Services can work alongside an existing Windows CA infrastructure. Adding a Windows Server 2003 CA does not give computers running Windows 2000 and Windows XP the ability to work with version 2 certificate templates, however. Only Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition can issue certificates based on version 2 templates. To enable administration from your desktop, you can create and modify version 2 templates on any computer running Windows XP Professional on which the Windows Server 2003 Administration pack (adminpak.msi) is installed.

Certificate Template Usage

Certificates have the potential to be used by a wide variety of applications. After all, a certificate is simply a piece of data. The operating system and the applications are responsible for using that data to perform functions such as encrypting messages and authenticating connections.

However, there are many different templates designed to be used for various purposes. To specify how a certificate template can be used, you configure the application policies. Application policies, also known as extended key usage or enhanced key usage, give you the ability to specify which certificates can be used for which purposes. This allows you to issue certificates without being concerned that they will be misused.

For example, a certificate based on the Smartcard User template can be used by a user to send secure e-mail, to perform client authentication, and to logon by using a smart card. By default, it cannot be used to authenticate a server to a client, to recover files, to encrypt files, or to perform many other tasks that rely on a certificate. Further, the certificate can be issued only to a user, not to a computer.

The Smartcard User template, and many other templates, can be used for multiple functions. Using certificate templates with multiple functions is an excellent way to reduce the number of certificates that are needed in an organization. Many certificate templates, however, are single function only. Single-function certificate templates can be highly restricted and used only for a single function. For example, you could issue certificates for a sensitive operation, such as key recovery, with a short certificate lifetime of 2 months. You would not want to combine this certificate function with a function that is not as sensitive, such as an EFS certificate, because an EFS certificate should have a much longer lifetime.

Table 7.1 describes the user certificate templates included with Windows Server 2003. All user certificates included with Windows Server 2003 are version 1.

Table 7.1: Default User Certificate Templates




Allows user authentication, EFS encryption, secure e-mail, and certificate trust list signing.

Authenticated Session

Authenticates a user to a Web server. The private key is used to sign the authentication request.

Basic EFS

Encrypts and decrypts data by using EFS. The private key is used to decrypt the file encryption key (FEK) that is used to encrypt and decrypt the EFS-protected data.

Code Signing

Used to digitally sign software.

EFS Recovery Agent

Allows the subject to decrypt files previously encrypted with EFS.

Enrollment Agent

Used to request certificates on behalf of another subject.

Exchange Enrollment Agent (Offline request)

Used to request certificates on behalf of another subject and supply the subject name in the request.

Exchange Signature Only

Used by Exchange Key Management Service to issue certificates to Microsoft Exchange Server users for digitally signing e-mail.

Exchange User

Used by Exchange Key Management Service to issue certificates to Exchange users for encrypting e-mail.

Smartcard Logon

Authenticates a user with the network by using a smart card.

Smartcard User

Identical to the Smartcard Logon template, except that it can also be used to sign and encrypt e-mail.

Trust List Signing

Allows the holder to digitally sign a trust list.


Used by users for e-mail, EFS, and client authentication.

User Signature Only

Allows users to digitally sign data.

Table 7.2 describes the computer certificate templates included with Windows Server 2003.

Table 7.2: Default Computer Certificate Templates




CA Exchange

Used to store keys that are configured for private key archival.


CEP Encryption

Allows the holder to act as a registration authority (RA) for Simple Certificate Enrollment Protocol (SCEP) requests.



Provides both client and server authentication abilities to a computer account. The default permissions for this template allow enrollment only by computers running Windows 2000 and Windows Server 2003 family operating systems that are not domain controllers.


Domain Controller Authentication

Used to authenticate Active Directory computers and users.



Provides certificate-based authentication for computers by using IP Security (IPSec) for network communications.


IPSEC (Offline request)

Used by IPSec to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request.


RAS and IAS Server

Enables Remote Access Services (RAS) and Internet Authentication Services (IAS) servers to authenticate their identities to other computers.


Router (Offline request)

Used by a router when requested through SCEP from a certification authority that holds a Certificate Enrollment Protocol (CEP) Encryption certificate.


Web Server

Authenticates the Web server to connecting clients. The connecting clients use the public key to encrypt the data that is sent to the Web server when using Secure Sockets Layer (SSL) encryption.



Enables client computers to authenticate their identities to servers.


Finally, there are a handful of service templates that cannot be neatly classified as user or computer certificate templates:

  • Cross-Certification Authority. Used for cross-certification and qualified subordination.

  • Directory E-mail Replication. Used to replicate e-mail within Active Directory.

  • Domain Controller. Provides both client and server authentication abilities to a computer account. Default permissions allow enrollment by only domain controllers.

  • Key Recovery Agent. Recovers private keys that are archived on the certification authority.

  • Root Certification Authority and Subordinate Certification Authority. Used to prove the identity of the certification authorities.

    Off the Record 

    A certificate template is nothing more than a collection of properties, requirements, and functions. When planning certificate templates, you are not bound to the templates that are included in Windows Server 2003. You can create your own templates to meet the needs of your organization. For example, you could create a template that is used for EFS and e-mail, that is only valid for one year, that archives the keys, and that does not support autoenrollment.

Certificate Template Permissions

Certificate template permissions define the security principals that can read, modify, enroll, or autoenroll for certificates based on certificate templates. You must define the permissions for each certificate template to ensure that only authorized users, computers, or group members can obtain certificates based on a certificate template.


Be sure that you know the members of a group before you issue certificates to that group. Improper planning could lead to a security risk caused by issuing certificates to users who are not required to have those certificates.

The permissions that you can assign to a certificate template include:

  • Full Control.Allows a security principal to modify all attributes of a certificate template, including the permissions for the certificate template.

  • Read.Allows a security principal to find the certificate template in Active Directory when enrolling for certificates.

  • Write.Allows a security principal to modify all the attributes of a certificate template, except for the permissions that are assigned to the certificate template.

  • Enroll.Allows a security principal to enroll for a certificate based on the certificate template. To enroll for a certificate, the security principal must also have Read permissions for the certificate template.

  • Autoenroll.Allows a security principal to receive a certificate through the autoenrollment process. Autoenrollment permissions also require that the user have both Read and Enroll permissions.

    Security Alert 

    For autoenrollment to function correctly, you must ensure that all three required permissions (Read, Enroll, and Autenroll) are granted to the same user or group. If you assign Read and Enroll to one group and Autoenroll to another group, a user who is a member of both groups will not be allowed to autoenroll for certificates. This is because permissions for a certificate are not additive, like they are NTFS. In this example, because a user is a member of two groups, the CA will treat the group with Read and Enroll permissions separately from the group with Autoenroll permissions. For best results, create a global or universal group for each certificate template. Grant the global or universal group all three permissions, and then add the necessary user groups to this group.

Figure 7.7 shows the permissions you can set on certificate templates.

click to expand
Figure 7.7: Certificate template permissions

Methods for Updating a Certificate Template

In your CA hierarchy, you might have one certificate template for each job function, such as file encryption or code signing, or a few templates that cover functions for most common groups of subjects. You might have to modify an existing certificate template as a result of incorrect settings that were defined in the original certificate template, or you might want to merge multiple existing certificate templates into a single template.

There are two methods for modifying a version 2 certificate template. You either modify the original template, or you create a new one to replace it.

You can modify a version 2 certificate template at any time. After you make the changes, all new certificate enrollees will receive the new settings. To ensure that all clients that have previously been issued certificates based on the template before it was modified receive the new settings, re-issue the certificate by using the Certificates snap- in. This is an excellent way to make sweeping changes to certificates deployed to users and computers in your organization. For example, if you discovered that a certificate could be compromised in less than one year, you could modify the validity period of the certificate to six months and re-enroll all certificate holders.

The second method of modifying a certificate is known as superseding a certificate. This method is accomplished by creating a new version 2 certificate template and adding multiple application policies for those certificates that you want to supersede. For example, if multiple certificate templates provide the same or similar functionality, you can supersede the existing certificate templates with a single certificate template. You can accomplish this replacement by designating that a new certificate template supersedes, or replaces, the existing certificate templates. Select the certificates that are to be superseded in the Superseded Templates tab on the new certificate's properties.

When making your decision on whether to modify a certificate template, you should consider the consequences of the modification. For example, if a change is going to affect only a single certificate template, and if the change does not require certificates to be re-issued to all current certificate holders, you can simply modify an existing certificate template. Nice and easy!

Keep in mind that only version 2 certificate templates support modification. If the certificate template that you want to modify is a version 1 certificate template, you must supersede the existing certificate template with a version 2 certificate template.

If the changes you are going to make to the certificate template do not affect previously issued certificates, you do not need to re-issue the certificate to certificate holders. For example, changing the permissions for a certificate template to allow additional groups to enroll the certificate template would not require the re-issuance of all existing certificates.

Certificate management can be time-consuming, especially in an environment that issues a large number of certificates to users and computers. The load on the issuing CA increases, CRLs get bigger, and the end user certificate management can be harrowing. To ease this potential strain on your CAs and end users, consider consolidating multiple existing certificate templates into a single certificate template.

It is not possible to modify a version 1 certificate template, because they do not allow modification. However, by superseding the version 1 certificate template with a version 2 certificate template, you can effectively modify the settings of the template. For example, you could create a new version 2 template that performs the same functions as the original template but that has different settings for the certificate lifetime, key size, or application and issuance policies for a certificate.

In summary, you can update an existing certificate template in two ways. The first way is to modify a version 2 certificate template at any time by making changes to the certificate template. The second way is to supersede an existing certificate template. If the certificate template you want to update is version 1, or if you want to combine multiple certificate templates into a single template, you can supersede the existing certificate template or templates with a version 2 certificate template. After you make the changes, any certificate issued by a CA based on that certificate template will include the modifications you made in the certificate template.

You should modify a template when the changes are minor and affect only a single version 2 certificate template. You should supersede a template when you are consolidating multiple templates, when you are modifying a version 1 certificate template, or when you are changing the lifetime, key size, application policies, or issuance policies.

Security Alert 

By modifying or superseding templates you affect only those certificates that are issued after you modify the certificate template. Existing certificates are not modified until the user or computer holding the certificate based on the certificate template renews the certificate or enrolls a new certificate based on the modified or superseded certificate template. If autoenrollment is enabled for the updated or superseded certificate template, users or computers will automatically enroll the updated certificates.

Practice: Superseding Certificate Templates

In this practice, you will supersede multiple existing certificate templates.

Exercise: Superseding Multiple Certificates

In this exercise, you will supersede the User certificate template with a new version 2 certificate template.

  1. Log on to the cohowinery.com domain on Computer1 using the Administrator account.

  2. Click Start, click Run, type certtmpl.msc and then click OK.

  3. Right-click the User template and then click Duplicate Template.

  4. In the Properties Of New Template dialog box, click the General tab and type Backup Operators in the Template Display Name box.

  5. Specify the validity period as 6 months, as shown in Figure 7.8.

    click to expand
    Figure 7.8: Properties of New Template dialog box

  6. Click the Extensions tab, click Application Policies, and then click Edit.

  7. In the Edit Application Policies Extension dialog box, ensure that Client Authentication, Encrypting File System, and Secure Email are present, and then click Add.

  8. In the Add Application Policy dialog box, select Smart Card Logon under Application Policies, and then click OK.

  9. In the Edit Application Policies Extension dialog box, verify that Smart Card Logon is now in the list, as shown in Figure 7.9, and then click OK.

    Figure 7.9: Smart Card Logon policy added to the Application Policies list

  10. Click the Superseded Templates tab, and then click Add.

  11. In the Add Superseded Template dialog box, hold down the Ctrl key and click User and Smartcard Logon, and then click OK. Verify that the templates are displayed under Certificate Templates.

  12. Click the Security tab, and then click the Add button and add the Backup Operators group. Click OK to return to the Properties Of New Template dialog box.

  13. Select Backup Operators and then select the Allow check box for the Read, Enroll, and Autoenroll permissions.

  14. Click OK, and then close all open windows.

  15. Open the Certification Authority console.

  16. Expand Certification Authority. Right-click Certificate Templates, click New, and then click Certificate Template To Issue.

  17. In the Enable Certificate Templates dialog box, click Backup Operators, and then click OK.

    Now the Backup Operators certificate template is an available choice for users requesting new certificates. Because of replication latency and template caching in the registry, a certificate authority might not be able to issue a certificate template immediately. The timing of issuance is dependent on replication latency between domain controllers.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the 'Questions and Answers' section at the end of this chapter.

  1. Which of the following tasks can be performed on version 1 certificate templates? (Choose all that apply.)

    1. Adding a certificate based on the template to a CRL

    2. Changing the expiration date of the template

    3. Superseding the template with a version 2 template

    4. Changing the permissions assigned to the template

  2. Where in the Active Directory are certificate templates located?

    1. CN=Certificate Templates,CN=Public Key Services,CN=Extended-Rights, CN=Configuration,DC=ForestRootNameDN

    2. CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootNameDN

    3. CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Domain, DC=ForestRootNameDN

    4. CN=Certificate Templates,CN=NetServices,CN=Services,CN=Configuration, DC=ForestRootNameDN

Lesson Summary

  • Certificate templates are the sets of rules that define the content of a certificate based on its intended use.

  • Microsoft certification authorities (CAs) support two types of certificate templates: version 1 and version 2. Version 1 templates are provided for backwards compatibility and support many general needs for subject certification. Version 2 templates allow customization of most settings in the template.

  • Version 2 templates require Active Directory. They can be created and duplicated by any member of the Windows Server 2003 family; however, certificates based on version 2 templates can be issued only by a CA that is running Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter Edition.

  • Certificate template permissions define the security principals that can read, modify, enroll, and autoenroll certificates based on certificate templates.

  • You can update existing certificate templates by either modifying or superseding them. Only version 2 certificate templates can be modified.

 < Day Day Up > 

MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net