« Certificate Services and Windows Server 2003 Versions | Main | Tech Ed in Orlando - Update on Sessions »
June 03, 2005
Common Questions about Certificate Templates
In the Windows Server 2003 PKI, there are two different types of certificate templates that you can work with. Version 1 certificate templates are certificate templates that also existed in the Windows 2000 PKI and can only have their permissions modified. You cannot change the content of the certificate (the format of the subject, the lifetime of the certificate, the uses of the certificate, etc.). You can, however, duplicate these version 1 templates, creating what is known as a version 2 certificate template. A version 2 certificate template allows you to modify the content and the permissions of the certificate template. It is impossible to create a version 2 certificate template from scratch. You must duplicate an existing version 1 or version 2 certificate template, so choose a certificate template that is close to the functionality that you require.
A version 2 certificate template can only be issued by an enterprise CA running on Windows Server 2003, Enterprise Edition. The most common mistake that I see is that the customer is trying to issue the version 2 certificate templates by an enterprise CA running Windows Server 2003, Standard Edition. The Standard Edition server is hard-coded to *not* issue version 2 certificate templates.
In addition, Windows Server 2003, Standard Edition should not be confused with a Windows Server 2003 standalone CA. A standalone CA, whether it is running on Windows Server 2003, Standard Edition or Windows Server 2003, Enterprise Edition does not use certificate templates at all when it issues certificates. Instead, the certificate content is based entirely on the information provided in the certificate request.
You can perform the editing of certificate template from any Windows XP or Windows Server 2003 domain member computer, as long as you are logged in as a user that is assigned the Read and Write permissions for the specific template. To create new templates, you must be assigned Full Control permission to the CN=Certificate Templates, CN=Public Key Services, CN=Services, CN=Configuration,ForestRootDomain container and the CN=OID, CN=Public Key Services, CN=Services, CN=Configuration,ForestRootDomain container.
Finally, when you attempt to enroll the version 2 certificate template, there are some restrictions on how you enroll them:
- Only users at Windows XP and Windows Server 2003 computers can enroll certificates based on version 2 certificate templates using the Certificate Request Wizard (from the Certificates MMC).
- Users with Windows 2000, Windows XP, and Windows Server 2003 client computers can enroll version 2 certificate templates using the Certificate Enrollment Web Pages
- All client operating systems (Windows 98 and higher) can enroll certificates based on version 2 certificate templates by using scripting.
HTH,
Brian
Posted by at June 3, 2005 06:38 AM
Comments
Hi Brian
In the enterprise CA model I have seen two lots of templates in 2003 server. The first page I can load templates into the CA but if I click manage templates I get a page of templates which can have their properties altered but cant be loaded into create new template. Is there an explanation for this. I assumed that any template you alter adds functions to the certificate.
Also does the CA issue only one certificate based on the template settings configured in the CA? Or can a CA offer more than one certificate. If it can how do you configure more than one certificate in the CA. As I understand it at the moment it only issues one certificate per CA.
Do you have or know of any web sites that show you examples of managing the Templates in the CA and how to create or modify templates to a certificate on the CA?
In simple english can you explain the CA and the way templates are used to configure the CA's certificate or certificates I am unclear if a CA issues one or many certificates all with different configurations.
Also could you explain or post examples of typical template configurations for the CA's certificate.
If changes are made tio a template are they automatically updated to clients when they reconnect?
And lastly if a template is configured on a certificate say with IPSec and log on authorisation and the client downloads the certificate and installs itr on the client PC, how is the connection negotiated, does the client have to be configured with the IPSec protocol in order for the certificate to work or will the connection be rejected if the clients configuration does not meet what the certificate on the CA is configured to expect.
I hope that you can help me with these questions. It will clear up so much for me and help me to get somewhere near understanding this complex subject.
Thanks
Regards from
Kile Sheerhan
Posted by: Kile at April 20, 2006 06:36 PM