Appendix C: Certificate Template Schema Additions
Applies To: Windows Server 2003 with SP1
The Certificate Templates container contains the certificate templates that are defined within an Active Directory forest. Each certificate template is of the class pKICertificate. Each Certificate Template is managed by using the Certificate Templates MMC snap-in. Windows 2000 includes 24 default certificate templates; Windows Server 2003 includes 29 default templates. Each template is stored in the following location in the Configuration naming context:
CN=<name of template>,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC= ForestRootDomain
Version 1 Certificate Template Attributes
The following version 1 certificate templates attributes are defined in the Active Directory schema.
| Attribute | Description |
|---|---|
Cn |
Common name of the certificate type. |
distinguishedName |
Distinguished name of the certificate type. |
displayName |
Display name of a cert type. |
pKIExtendedKeyUsage |
Array of enhanced key usage object identifiers. |
pKIDefaultCSPs |
Default CSP list. DWORD, CSP name. |
pKICriticalExtensions |
List of critical extensions. |
revision |
Major version of the templates. |
templateDescription |
Obsolete attribute. |
flags |
General enrollment flags. |
pKIDefaultKeySpec |
Specifications of the Default Key length and construct. |
NTSecurityDescriptor |
Security Descriptor name. |
pKIKeyUsage |
Key Usage extension. |
pKIMaxIssuingDepth |
Basic Constraints. DWORD value. |
pKIExpirationPeriod |
Validity period. Negative FILETIME value. |
pKIOverlapPeriod |
Renewal period. Negative FILETIME value. |
Version 2 Certificate Template Attributes
The following version 2 certificate templates attributes are defined in the Active Directory schema.
| Attribute | Description |
|---|---|
msPKI-Template-Schema-Version |
Schema version of the templates. |
msPKI-Template-Minor-Revision |
Minor version of the templates. |
msPKI-RA-Signature |
Number of RA signatures required on a request referencing this template. |
msPKI-Minimal-Key-Size |
Minimal key size required. |
msPKI-Template-Cert-Template-OID |
Object identifier of this template. |
msPKI-Supersede-Templates |
Name of the template that this template supersedes. |
msPKI-RA-Policies |
RA issuer policy object identifiers required. |
msPKI-RA-Application-Policies |
RA application policy object identifiers required. |
msPKI-Certificate-Policy |
The certificate issuer policy object identifiers are placed in the OID_CERT_POLICIES extension by the policy module. |
msPKI-Certificate-Application-Policy |
Certificate application policy object identifiers. |
msPKI-Enrollment-Flag |
Enrollment flags. |
msPKI-Private-Key-Flag |
Private key flags. |
msPKI-Certificate-Name-Flag |
Subject name flags. |
Flags
The following enrollment flags are defined in the Active Directory schema.
| Flag | Description |
|---|---|
CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
|
Include the S/MIME symmetric algorithms in the requests. |
CT_FLAG_PEND_ALL_REQUESTS
|
All certificate requests are pended. |
CT_FLAG_PUBLISH_TO_KRA_CONTAINER
|
Publish the certificate to the KRA (key recovery agent container) in Active Directory. |
CT_FLAG_PUBLISH_TO_DS
|
Publish the resultant certificate to the userCertificate property on the user object in Active Directory. |
CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE
|
The Auto-enrollment client will not enroll for a new certificate if the user has a certificate previously published to the userCertificate attribute in Active Directory with the same template name. |
CT_FLAG_AUTO_ENROLLMENT
|
This cert is appropriate for auto-enrollment. |
CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT
|
A previously issued certificate will valid subsequent enrollment requests. |
CT_FLAG_DOMAIN_AUTHENTICATION_NOT_REQUIRED
|
Obsolete. |
CT_FLAG_USER_INTERACTION_REQUIRED
|
User interaction is required to enroll using auto-enrollment. |
CT_FLAG_ADD_TEMPLATE_NAME
|
Obsolete. |
CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE
|
Remove invalid (expired or revoked) certificate from personal store on the local client computer during auto-enrollment. |
The following subject name flags are defined in the Active Directory schema.
| Flag | Description |
|---|---|
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
|
The enrolling application must supply the subject name. |
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
|
The enrolling application must supply the subjectAltName in request. |
CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
|
Subject name should be full distinguished name based on the Active Directory path. |
CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME
|
Subject name should be the common name. |
CT_FLAG_SUBJECT_REQUIRE_EMAIL
|
Subject name includes the e-mail name. |
CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN
|
Subject name includes the DNS name as the common name. |
CT_FLAG_SUBJECT_ALT_REQUIRE_DNS
|
Subject alt name includes the DNS name. |
CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL
|
Subject alt name includes the e-mail name. |
CT_FLAG_SUBJECT_ALT_REQUIRE_UPN
|
Subject alt name requires UPN. |
CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID
|
Subject alt name requires directory GUID (used by domain controllers). |
CT_FLAG_SUBJECT_ALT_REQUIRE_SPN
|
Subject alt name requires SPN (service principal name). |
The following template private key flags are defined in the Active Directory schema.
| Flag | Description |
|---|---|
- Private Key Flags |
|
CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL
|
Archival of the private key is allowed/required. |
CT_FLAG_EXPORTABLE_KEY
|
Mark the private key as exportable. |
The following template general flags are defined in the Active Directory schema:
| Flag | Description |
|---|---|
CT_FLAG_MACHINE_TYPE
|
Machine cert type. |
CT_FLAG_IS_CA
|
CA certificate type. |
CT_FLAG_IS_CROSS_CA
|
Cross-CA certificate type. |
CT_FLAG_IS_DEFAULT
|
Default cert type that is set on all V1 templates that cannot be changed. |
CT_FLAG_IS_MODIFIED
|
The type has been modified (read only). |
CT_MASK_SETTABLE_FLAGS
|
Obsolete. |