Issuing Certificates Based on Certificate Templates
Applies To: Windows Server 2008
Active Directory Certificate Services (AD CS) supports a variety of enrollment and renewal methods, including autoenrollment without any client interaction and interactive enrollment methods such as the Certificate Request Wizard and the AD CS Web pages.
Note
If you deploy non-Microsoft certification authorities (CAs) or custom certificate enrollment and renewal applications, you must perform any configuration required for those CAs and applications.
How a certificate is obtained by a client is controlled in large part by the security properties of the certificate template.
When certificate templates are published on a server, each template contains an access control list (ACL) that defines the specific operations a subject can perform with a certificate.
| Setting | Description | ||
|---|---|---|---|
Full Control |
The selected group or user can perform any action on this template. |
||
Read |
The selected group or user can read this template. |
||
Write |
The selected group or user can modify this template. |
||
Enroll |
The selected group or user can submit a certificate issuance or renewal request based on this template. |
||
Autoenroll |
The selected group or user can submit a certificate request based on this template by way of autoenrollment.
|
.gif)
NoteThe most common use of certificates is for subject enrollment with autoenrollment permitted. In this case, the subject must be granted Read, Enroll, and Autoenroll permissions.
If you do not want to autoenroll users, but do not want to make manual or Web-based enrollment available, granting the Read and Enroll permissions is appropriate.
When subjects already hold a certificate, they need only Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not.
Write and Full Control permissions should be restricted to CA managers to ensure the templates are not improperly configured.