Certificate Templates Overview
Applies To: Windows Server 2008
Enterprise certification authorities (CAs) use certificate templates to define the format and content of certificates, to specify which users and computers can enroll for which types of certificates, and to define the enrollment process, such as autoenrollment, enrollment only with authorized signatures, and manual enrollment. Associated with each certificate template is a discretionary access control list (DACL) that defines which security principals have permissions to read and configure the template, as well as to enroll or autoenroll for certificates based on the template. The certificate templates and their permissions are defined in Active Directory® Domain Services (AD DS) and are valid within the forest. If more than one enterprise CA is running in the Active Directory forest, permission changes will affect all enterprise CAs.
Note
When a certificate template is defined, the definition of the certificate template must be available to all CAs in the forest. This is accomplished by storing the certificate template information in the Configuration naming context (CN=Configuration,DC=ForestRootName). The replication of this information depends on the Active Directory replication schedule, and the certificate template may not be available to all CAs until replication is completed. The storage and replication are accomplished automatically.
CA Terminology
The following terms and acronyms are used throughout this document.
Authority information access. A certificate extension that contains URLs where the issuing CA certificate can be retrieved. The authority information access extension can contain Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Lightweight Directory Access Protocol (LDAP), or FILE URLs.
Certificate revocation list (CRL). A digitally signed list issued by a CA that contains certificates that have been revoked. The list includes the serial number of the certificate, the date that the certificate was revoked, and the revocation reason. Applications can perform CRL checking to determine a presented certificate's revocation status. CRLs can also be referred to as base CRLs to differentiate them from delta CRLs.
Certificate template. A preconfigured list of certificate settings that allows users and computers to enroll for certificates without having to create complex certificate requests.
Version 2 certificate templates are customizable certificate templates that are supported with Windows Server® 2008 Enterprise–based CAs or Windows Server 2003 Enterprise Edition–based CAs. Version 2 certificate templates enable advanced CA features such as key archival and recovery and certificate autoenrollment.
In order to use version 2 templates, Active Directory must be upgraded to support Windows Server 2008 or Windows Server 2003 schema changes.
Standard editions of Windows Server 2008 and Windows Server 2003 support only version 1 certificate templates, which are not customizable and do not support key archival or autoenrollment.
Version 3 certificate templates are new in Windows Server 2008. Version 3 certificate templates function similarly to version 2 templates, and they support new Active Directory Certificate Services (AD CS) features available in Windows Server 2008. These features include Cryptography Next Generation (CNG), which introduces support for Suite B cryptographic algorithms such as elliptic curve cryptography (ECC).
CRL distribution point. A certificate extension that indicates where the CRL for a CA can be retrieved. This extension can contain multiple HTTP, FTP, FILE, or LDAP URLs for the retrieval of the CRL.
Delta CRL. A type of CRL that contains the list of certificates revoked since the last base CRL was published. Delta CRLs are often used in environments where numerous certificates are revoked to optimize bandwidth use.
Enterprise CA. Enterprise CAs are integrated with AD DS. They publish certificates and CRLs to AD DS, use information stored in AD DS such as user accounts and security groups to approve or deny certificate requests, and use certificate templates stored in AD DS to generate a certificate with the appropriate attributes.
Online Certificate Status Protocol (OCSP). A protocol that allows high-performance validation of certificate status. Windows Server 2008 introduces an online revocation provider (Online Responder) as an optional role service within AD CS.
Public key infrastructure (PKI). A PKI consists of CAs that issue digital certificates, directories that store certificates and policies (including AD DS), resources that provide revocation and validation information for certificates, and the X.509 certificates that are issued to security entities on the network.
Security principal. A user, security group, or computer account that can be assigned permissions in a DACL.
Stand-alone CA. Stand-alone CAs do not require AD DS and do not use certificate templates.
Templates in Versions of Windows Earlier than Windows Server 2008
A number of predefined certificate templates were first introduced in Microsoft Windows® 2000, but attributes of those version 1 certificate templates could not be modified, except the permissions specified in the DACL. This was done through the advanced view of the Active Directory Sites and Services snap-in and allowed administrators to specify which users and groups could read, update, and enroll for certificates that use the templates.
With Windows Server 2003, the introduction of version 2 certificate templates meant that more customization was possible, and management was done through the Certificate Templates snap-in rather than through the Active Directory Sites and Services snap-in.
With Windows Server 2003–based CAs, the Certificate Templates snap-in allowed you to define specific attributes for certificates that meet your organization's business needs. For example, you could:
Define whether the private key associated with a certificate can be exported.
Define whether the certificate request must be approved by a certificate manager, and define how many managers must approve a request before the certificate is issued.
Define which cryptographic service providers (CSPs) are supported by a certificate template.
Define issuance and application policy for issued certificates.
Windows Server 2008–Based Templates
Windows Server 2008 introduced version 3 certificate templates. These certificate templates have been updated to support new features available in the Windows Server 2008–based CA, including CNG, which introduces support for Suite B cryptographic algorithms such as ECC. For more information about CNG in Windows Server 2008, see Active Directory Certificate Services (https://go.microsoft.com/fwlink/?LinkID=85613).
CNG encryption and hash algorithms can be specified for:
Certificate requests
Issued certificates
Protection of private keys for key exchange and key archival scenarios
Administrators can configure support for these new certificate template features using the template properties options in the Certificate Templates snap-in in Windows Server 2008.
AD CS includes two new certificate templates: Kerberos Authentication (delivered as a version 2 template) and OCSP Response Signing (delivered as a version 3 template). These templates are installed in AD DS when the first Windows Server 2008–based CA is installed, or the first time the Certificate Templates snap-in is opened from Windows Server 2008, after an upgrade to a Windows Server 2008–based CA.
Kerberos Authentication Template
The purpose of the Kerberos Authentication template is to issue certificates to domain controllers, which present the certificates to client computers during user and computer network authentication. Certificates issued via this new template contain two specific attributes. Rather than relying on the DNS name of the computer, applications can verify the following:
The enhanced key usage extension of the certificate contains Key Distribution Center (KDC) authentication.
The domain name is in the subject alternative name extension of the certificate.
By the authority of the issuing CA, these attributes prove that the computer presenting the certificate is a domain controller for the domain contained in the subject alternative name. This new template is recommended for domain controllers running Windows Server 2008. For domain controllers running Windows Server 2003, the Domain Controller Authentication template or the Kerberos Authentication template can be used.
Note
If a domain controller running Windows Server 2003 with Service Pack 1 (SP1) or Windows Server 2003 R2 obtains a certificate based on the Kerberos Authentication template, the following error might appear on the domain controller.
Automatic certificate enrollment for local system detected the DNS name in the Kerberos Authentication certificate does not match the DNS name of the local computer. A new enrollment for one Kerberos Authentication certificate will be performed in 24 hours.
This is a known issue. It occurs because the autoenrollment client computer running Windows Server 2003 compares the local computer's DNS name to the contents of the certificate subject alternative name.
Client computers running Windows Vista or Windows Server 2008 can be configured to check for the new enhanced key usage entry by enabling strong KDC validation on the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\kdcvalidation
The default value of 0 disables strong KDC validation. To enable strong KDC validation, set this DWORD value to 2.
The following table shows which certificate template can be used for CAs running different versions of Windows, based on which version of Windows the domain controller is running.
Domain controller | Windows 2000 Server–based CA (version 1 only) | Windows Server 2003–based CA | Windows Server 2008–based CA |
---|---|---|---|
Windows 2000 Server (enroll for version 1 templates only) |
Domain Controller |
Domain Controller |
Domain Controller |
Windows Server 2003 |
Domain Controller |
Domain Controller or Domain Controller Authentication Directory E-mail Replication |
Kerberos Authentication or Domain Controller Authentication Directory E-mail Replication |
Windows Server 2008 |
Domain Controller |
Domain Controller or Domain Controller Authentication Directory E-mail Replication |
Kerberos Authentication Directory E-mail Replication |
Note
If the CA administrator has not manually assigned the Domain Controller Authentication and Directory E-mail Replication certificate templates to a Windows Server 2003–based CA or a Windows Server 2008–based CA, domain controllers running Windows Server 2003 still use the default Domain Controller certificate template. If a Windows Server 2008–based CA is available and configured to issue the Kerberos Authentication template, a domain controller running Windows Server 2003 or Windows Server 2008 will enroll for a Kerberos Authentication certificate, even if it already has a Domain Controller Authentication certificate.
The Kerberos Authentication certificate template is fully backward-compatible with the previous domain controller templates; for example, when the domain controller has a Kerberos Authentication certificate, smart card logon can be performed even with a client computer running Windows 2000 Professional.
OCSP Response Signing Template
The second new template introduced in Windows Server 2008 is the OCSP Response Signing template. An Online Responder based on the OCSP standard is an optional component in Windows Server 2008. This template issues certificates for computers running an Online Responder, enabling the Online Responder to provide signed responses to client computers requesting revocation information on certificates issued by the same CA that signed the OCSP signing certificate. The characteristics of OCSP signing certificates are:
The "OCSP Signing" entry exists in the enhanced key usage extension.
Revocation is not selected (no authority information access or CRL distribution point extensions).
By default, the validity period is two weeks.
The Network Service account on the computer to which the OCSP signing certificate is issued will be granted Read permission on the private key by default. This allows the OCSP service to use the private key.
For more information about the Online Responder and OCSP in Windows Server 2008, see Installing, Configuring, and Troubleshooting the Online Responder (Microsoft's OCSP Responder) (https://go.microsoft.com/fwlink/?LinkId=101269).
Default Templates
When a Windows Server 2008–based CA is installed, a set of default certificate templates is assigned to the CA so that the CA is immediately able to issue certificates for those templates.
Note
This behavior can be changed by setting the LoadDefaultTemplates=0 parameter in the CAPolicy.inf file prior to CA installation.
The list of which default templates are assigned has been updated in Windows Server 2008. The following table shows the default templates in Windows Server 2008 and Windows Server 2003.
Template name | Windows Server 2003 | Windows Server 2008 |
---|---|---|
Administrator |
X |
X |
Basic EFS |
X |
X |
Computer |
X |
X |
Directory E-mail Replication |
X |
|
Domain Controller |
X |
X |
Domain Controller Authentication |
X |
|
EFS Recovery Agent |
X |
X |
Kerberos Authentication |
X |
|
Subordinate Certification Authority |
X |
X |
User |
X |
X |
Web Server |
X |
X |
In AD CS, the following preconfigured certificate templates are listed in the Certificate Templates snap-in.
Note
The Kerberos Authentication and OCSP Response Signing templates are new in Windows Server 2008 and were not installed by default with Windows Server 2003 enterprise CAs.
Default templates in Windows Server 2008
Name | Description | Key usage | Subject type | Applications used for enhanced key usage | Application policies or enhanced key usage |
---|---|---|---|---|---|
Administrator |
Allows trust list signing and user authentication |
Signature and encryption |
User |
Microsoft trust list signing Encrypting File System (EFS) Secure e-mail Client authentication |
4.1 |
Authenticated Session |
Allows subjects to authenticate to a Web server |
Signature |
User |
Client authentication |
3.1 |
Basic EFS |
Used by EFS to encrypt data |
Encryption |
User |
EFS |
3.1 |
CA Exchange |
Used to protect private keys as they are sent to the CA for private key archival |
Encryption |
Computer |
Private key archival |
106.0 |
CEP Encryption |
Allows the holder to act as a registration authority for Simple Certificate Enrollment Protocol (SCEP) requests; used by the Network Device Enrollment Service for its key exchange certificate |
Encryption |
Computer |
Certificate request agent |
4.1 |
Code Signing |
Used to digitally sign software |
Signature |
User |
Code signing |
3.1 |
Computer |
Allows a computer to authenticate itself on the network |
Signature and encryption |
Computer |
Client authentication Server authentication |
5.1 |
Cross-Certification Authority |
Used for cross-certification and qualified subordination |
Signature Certificate signing CRL signing |
Cross-certified CA |
105.0 |
|
Directory E-mail Replication |
Used to replicate e-mail within AD DS |
Signature and encryption |
Directory e-mail replication |
Directory service e-mail replication |
115.0 |
Domain Controller |
Used by domain controllers as all-purpose certificates and is superseded by two separate templates: Domain Controller Authentication and Directory E-mail Replication |
Signature and encryption |
Directory e-mail replication |
Client authentication Server authentication |
4.1 |
Domain Controller Authentication |
Used to authenticate Active Directory computers and users |
Signature and encryption |
Computer |
Client authentication Server authentication Smart card logon |
110.0 |
EFS Recovery Agent |
Allows the subject to decrypt files that are encrypted with EFS |
Encryption |
User |
File recovery |
6.1 |
Enrollment Agent |
Used to request certificates on behalf of another user |
Signature |
User |
Certificate request agent |
4.1 |
Enrollment Agent (Computer) |
Used to request certificates on behalf of another computer |
Signature |
Computer |
Certificate request agent |
5.1 |
Exchange Enrollment Agent (Offline request) |
Used to request certificates on behalf of another user and supply the user name in the request; used by the Network Device Enrollment Service for its enrollment agent certificate |
Signature |
User |
Certificate request agent |
4.1 |
Exchange Signature Only |
Used by the Microsoft Exchange Key Management service to issue certificates to Exchange users for digitally signing e-mail |
Signature |
User |
Secure e-mail |
6.1 |
Exchange User |
Used by the Microsoft Exchange Key Management service to issue certificates to Exchange users for encrypting e-mail |
Encryption |
User |
Secure e-mail |
7.1 |
IPSec |
Used by IP security (IPsec) to digitally sign, encrypt, and decrypt network communication |
Signature and encryption |
Computer |
IPsec Internet Key Exchange (IKE) intermediate |
8.1 |
IPSec (Offline request) |
Used by IPsec to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request The Network Device Enrollment Service in Windows Server 2008 uses this template by default for device certificates |
Signature and encryption |
Computer |
IPSec IKE intermediate |
7.1 |
Kerberos Authentication |
New in Windows Server 2008, this template is similar to the Domain Controller Authentication template and offers enhanced security capabilities for Windows Server 2008 domain controllers authenticating Active Directory users and computers |
Signature and encryption |
Computer |
Client authentication Server authentication Smart card logon KDC authentication |
110.0 |
Key Recovery Agent (KRA) |
Recovers private keys that are archived on the CA; for more information, see Key archival and recovery (https://go.microsoft.com/fwlink/?LinkID=89551). |
Encryption |
Key recovery agent |
Key recovery agent |
105.0 |
OCSP Response Signing |
New in Windows Server 2008, this template issues certificates used by the OCSP service provider to sign OCSP responses; by default, these certificates contain a special OCSP no revocation checking extension and no authority information access or CRL distribution point extensions |
Signature |
Computer |
OCSP signing |
101.0 |
Remote Access Service (RAS) and Internet Authentication Service (IAS) Server |
Enables RAS and IAS servers to authenticate their identity to other computers |
Signature and encryption |
Computer |
Client authentication Server authentication |
101.0 |
Root CA |
Used to prove the identity of the root CA |
Signature Certificate signing CRL signing |
CA |
5.1 |
|
Router (Offline request) |
Used by a router when requested through SCEP from a CA that holds a CEP Encryption certificate |
Signature and encryption |
Computer |
Client authentication |
4.1 |
Smart Card Logon |
Allows the holder to authenticate its identity by using a smart card |
Signature and encryption |
User |
Client authentication Smart card logon |
6.1 |
Smart Card User |
Allows the holder to authenticate its identity and protect e-mail by using a smart card |
Signature and encryption |
User |
Secure e-mail Client authentication Smart card logon |
11.1 |
Subordinate CA |
Used to prove the identity of the subordinate CA; it is issued by the parent or root CA |
Signature Certificate signing CRL signing |
CA |
5.1 |
|
Trust List Signing |
Allows the holder to digitally sign a trust list |
Signature |
User |
Microsoft trust list signing |
3.1 |
User |
Used by users for e-mail, EFS, and client authentication |
Signature and encryption |
User |
EFS Secure e-mail Key usage |
3.1 |
User Signature Only |
Allows users to digitally sign data |
Signature |
User |
Secure e-mail Client authentication |
4.1 |
Web Server |
Proves the identity of a Web server |
Signature and encryption |
Computer |
Server authentication |
4.1 |
Workstation Authentication |
Enables client computers to authenticate their identity to servers |
Signature and encryption |
Computer |
Client authentication |
101.0 |