Version 2 Certificate Templates

Microsoft introduced certificate templates in Windows 2000. Win2K certificate templates, called Version 1 templates, contain a set of predefined certificate properties that define the default content of the certificates that an enterprise Certificate Authority (CA) issues. (An enterprise CA is one that's integrated with Active Directory—AD.) As is the case with Version 1 templates, you can use Windows .NET Server public key infrastructure (PKI) certificate templates, called Version 2 templates, only with an enterprise CA. However, you can modify the properties of Version 2 templates through the Microsoft Management Console (MMC) Certificate Templates snap-in. (You can't modify Version 1 templates.)

When you open this snap-in, one of the first things that will catch your eye is the presence of colored and gray certificate template display icons. Gray icons indicate Version 1 templates; colored icons (such as those circled in Figure A) indicate Version 2 templates. When you double-click a Version 1 template object, you can read—but not modify—the certificate template's properties. You can use the Certificate Templates snap-in to perform the following administrative tasks:

  • Duplicate an existing template to create new templates. To duplicate a template, right-click it, then select All Tasks, Duplicate Template from the context menu. This ability provides an interesting workaround when you want to modify the properties of a Version 1 template: Simply duplicate the Version 1 template, save the duplicate as a Version 2 template, then modify the template.
  • Modify certificate-template properties. Unlike the Win2K PKI, the .NET Server PKI lets you customize certificate properties (e.g., certificate lifetime, renewal period) and extensions. You can use Version 2 certificate templates to set certificate-enrollment requirements, to control the certificate-signing process, to configure private key archiving, and to designate a specific Cryptographic Service Provider (CSP).
  • Define which accounts can enroll and autoenroll for a particular certificate template. To define the accounts that can enroll or autoenroll, right-click a Version 2 template, open its Properties dialog box, go to the Security tab, then modify the account's Enroll or AutoEnroll access control entry (ACE) in the template's ACL.
  • Enable a template so that user and machine accounts can use it for autoenrollment. To enable a template for use in autoenrollment, right-click the template and select Allow AutoEnrollment from the context menu. You can see a template's autoenrollment status in the snap-in's Autoenrollment column, as Figure A shows. You also can force autoenrollment for a particular certificate template. To do so, right-click the template and select Re-enroll all certificate holders from the context menu.
  • Automatically replace certificates with a newer version that contains new certificate properties. To enable this feature, Microsoft provides each template with a Superseded Templates tab, which Figure B shows. This feature can be very powerful when combined with autoenrollment. An excellent example is the Directory Email Replication template, which supersedes the older Domain Controller template. Because autoenrollment is permitted for the Directory Email Replication template, all domain controllers (DCs) will automatically (i.e., without any user or administrator intervention) receive a new Directory Email Replication certificate.

Many other .NET Server PKI features that use certificates based on Version 2 templates rely on extra code that can enforce the embedded policy rules in the Version 2 certificate extensions. At the time of this writing, this code ships only with Windows XP clients.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.