Default Certificate Templates
Applies To: Windows Server 2008
A number of preconfigured certificate templates that are designed to meet the needs of most organizations are included with Windows Server® 2008–based enterprise certification authorities (CAs). These templates are described in the following table.
| Name | Description | Key usage | Subject type | Published to Active Directory Domain Services (AD DS)? | Template version |
|---|---|---|---|---|---|
Administrator |
Allows trust list signing and user authentication. |
Signature and encryption |
User |
Yes |
1 |
Authenticated Session |
Allows the subject to authenticate to a Web server. |
Signature |
User |
No |
1 |
Basic EFS |
Used by Encrypting File System (EFS) to encrypt data. |
Encryption |
User |
Yes |
1 |
CA Exchange |
Used to store keys that are configured for private key archival. |
Encryption |
Computer |
No |
2 |
CEP Encryption |
Allows the certificate holder to act as a registration authority for Simple Certificate Enrollment Protocol (SCEP) requests. |
Encryption |
Computer |
No |
1 |
Code Signing |
Used to digitally sign software. |
Signature |
User |
No |
1 |
Computer |
Allows a computer to authenticate itself on the network. |
Signature and encryption |
Computer |
No |
1 |
Cross-Certification Authority |
Used for cross-certification and qualified subordination. |
Signature |
Cross-certified CA |
Yes |
2 |
Directory E-mail Replication |
Used to replicate e-mail within AD DS. |
Signature and encryption |
DirEmailRep |
Yes |
2 |
Domain Controller |
Used by domain controllers as all-purpose certificates. |
Signature and encryption |
DirEmailRep |
Yes |
1 |
Domain Controller Authentication |
Used to authenticate Active Directory computers and users. |
Signature and encryption |
Computer |
No |
2 |
EFS Recovery Agent |
Allows the subject to decrypt files that were previously encrypted with EFS. |
Encryption |
User |
No |
1 |
Enrollment Agent |
Used to request certificates on behalf of another subject. |
Signature |
User |
No |
1 |
Enrollment Agent (Computer) |
Used to request certificates on behalf of another computer subject. |
Signature |
Computer |
No |
1 |
Exchange Enrollment Agent (Offline request) |
Used to request certificates on behalf of another subject and supply the subject name in the request. |
Signature |
User |
No |
1 |
Exchange Signature Only |
Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for digitally signing e-mail. |
Signature |
User |
No |
1 |
Exchange User |
Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for encrypting e-mail. |
Encryption |
User |
Yes |
1 |
IPSEC |
Used by Internet Protocol security (IPsec) to digitally sign, encrypt, and decrypt network communication. |
Signature and encryption |
Computer |
No |
1 |
IPSEC (Offline request) |
Used by IPsec to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request. |
Signature and encryption |
Computer |
No |
1 |
Kerberos Authentication |
Used to authenticate Active Directory computers and users. |
Signature and encryption |
Computer |
No |
2 |
Key Recovery Agent |
Recovers private keys that are archived on the CA. |
Encryption |
Key recovery agent |
No |
2 |
OCSP Response Signing |
Used by an Online Responder to sign responses to certificate status requests. |
Signature |
Computer |
No |
3 |
RAS and IAS Server |
Enables remote access servers and Internet Authentication Service (IAS) servers to authenticate their identity to other computers. |
Signature and encryption |
Computer |
No |
2 |
Root Certification Authority |
Used to prove the identity of the root CA. |
Signature |
CA |
No |
1 |
Router (Offline request) |
Used by a router when requested through a SCEP request from a CA that holds a CEP Encryption certificate. |
Signature and encryption |
Computer |
No |
1 |
Smartcard Logon |
Allows the holder to authenticate by using a smart card. |
Signature and encryption |
User |
No |
1 |
Smartcard User |
Allows the holder to authenticate and protect e-mail by using a smart card. |
Signature and encryption |
User |
Yes |
1 |
Subordinate Certification Authority |
Used to prove the identity of the root CA. It is issued by the parent or root CA. |
Signature |
CA |
No |
1 |
Trust List Signing |
Allows the holder to digitally sign a trust list. |
Signature |
User |
No |
1 |
User |
Used by users for e-mail, EFS, and client authentication. |
Signature and encryption |
User |
Yes |
1 |
User Signature Only |
Allows users to digitally sign data. |
Signature |
User |
No |
1 |
Web Server |
Proves the identity of a Web server. |
Signature and encryption |
Computer |
No |
1 |
Workstation Authentication |
Enables client computers to authenticate their identity to servers. |
Signature and encryption |
Computer |
No |
2 |
When you duplicate a version 1 or version 2 certificate template, you can make the duplicate a version 2 or version 3 template in order to configure the advanced options available with the later versions. However, version 3 certificate templates can only be issued by Windows Server 2008–based enterprise CAs and used by clients on computers running Windows Server 2008 or Windows Vista®. For more information, see Certificate Template Versions.
For information about configuration options for certificate templates, see Configuring a Certificate Template.