Configuring and Personalizing Certificate Templates

Certificate templates are used to generate the certificates you will use in your AD CS configuration. Enterprise CAs use version 2 and 3 templates. These templates are configurable and enable you to personalize them.

Use the buttons below to navigate through the lesson


To prepare templates for various uses, you must first configure each template you intend to use and, after each is configured, deploy each to your CAs. After templates are deployed, you can use them to issue certificates. Log on to the issuing CA (SRV2) and launch server manager. Expand Active Directory Certificate Services and click Certificate Templates. Note list of existing templates, also note you are connected to a Domain Controller. In order to work with templates you must be connected to a DC so that templates can be published to AD DS. Right click the source template and select Duplicate Template. Select Windows Server 2008 version, and click OK. Change template display name. Ensure Publish certificate in Active Directory is selected. Pay particular attention to key archival on the Request Handling tab and make sure you select the Archive Subject Encryption Private Key check box. Also, use encryption to send the key to the CA. Archival storage of the private key enables you to protect it if the user ever loses it.

Pay particular attention to key archival on the Request Handling tab and make sure you select the Archive Subject Encryption Private Key check box. Also, use encryption to send the key to the CA. Archival storage of the private key enables you to protect it if the user ever loses it.  Move through the property tabs and customize as you require. You can also use the Subject Name tab to add information such as Alternate Subject Name values. Move through the property tabs and customize as you require. Then click OK. If you plan to use EFS, you must also create an EFS Recovery Agent template. Duplicate it for Windows Server 2008. Right click EFS Recovery Agent template and select Duplicate Template. Select Windows Server 2008 version, and click OK. Change template display name. Note validity period is longer than the basic EFS template. Note validity period is longer than the basic EFS template. Ensure Publish certificate in Active Directory is selected. Select Request Handling. Select Request Handling. Also, use the same settings on the other property tabs as you assigned to the Basic EFS duplicate, then click OK. The new templates are now ready to be imported for issue on the CA.

Expand the CA Name. Right click Certificate Templates. Select New>Certificate Template to Issue. Select the templates to issue, then click OK. The new templates have been added. Next you should configure enrollment.