When you create an enterprise CA on Windows Server, certificates can be generated through a certificate template system.
Certificate templates are sets of rules and settings configured on your enterprise certificate authority on Windows Server.
Warning : the certificate templates only exist on an enterprise certification authority (which is therefore linked to an Active Directory domain) and not on a standalone certification authority (not linked to the Active Directory).
When your certificate authority receives a certificate request, it must apply a set of rules and settings to issue or renew the requested certificate so that it's valid for the intended use (for example : protecting a web server or proving the identity of a user).
This also ensures that the client will submit a valid certificate request (CSR).
The advantage of a company certificate authority is that it's linked to the Active Directory.
This means that its certificate and certification templates are also stored in your Active Directory infrastructure. Specifically, in the "Configuration" partition of your Active Directory.
This means that these certificate templates can be used by any CA in your Active Directory forest.
This also allows your company certification authority to retrieve information about the client (user, computer, etc.) who submitted a certificate request directly from your Active Directory infrastructure.
On Windows Server, there are 4 versions of certificate templates :
Note that certificate template versioning has changed since Windows Server 2012.
Important : as you will see below, some versions of certificate templates are editable and others are not.
Nevertheless, we strongly recommend that you don't modify the pre-installed ones and create a copy of the desired template if you want to modify it.
Indeed, if you modify the pre-installed ones, you may encounter problems when you create certificate templates for third-party professional solutions where their official documentation is based on one of these pre-installed certificate templates.
Certificate templates in version 1 are supported by all certification authorities on Windows Server.
These are installed automatically during your CA installation and therefore can't be changed or removed.
The certificate templates in version 1 can be :
These version 1 certificate templates are available on Windows Server 2000, 2003, 2003 R2, 2008 and 2008 R2 (all editions) and later.
Important : since you can't modify a certificate template in version 1, you will have to duplicate it if you want to modify this one.
In addition, the copy of a certificate template in version 1 will become a certificate template in version 2 or 3 which can be modified.
Version 2 certificate templates have been available since Windows Server 2003 and provide support for automatic certificate enrollment.
These certificate templates in version 2 can be :
These version 2 certificate templates are available on Windows Server 2003, 2003 R2, 2008 (Enterprise and Datacenter) and on Windows Server 2008 R2 (all editions) and later.
Important : it's technically possible to modify most of the certificate template parameters in version 2 without needing to duplicate it.
Nevertheless, as explained before, you should not modify the pre-installed ones, but rather modify a copy of them to avoid.
Indeed, it happens that some third-party solutions require a certificate template that doesn't exist. In this case, it will suffice to consult the official documentation of this solution to create the new certificate template based on one of the pre-installed certificate templates.
However, if you have modified the pre-installed one, you will not be able to correctly register the certificate you will need.
Version 3 certificate templates have been available since Windows Server 2008 and provide the same features as version 2 certificate templates, as well as automatic certificate enrollment.
In addition to these features, version 3 certificate templates also provide support for Suite B cryptographic algorithms.
Which adds support for key exchange, encryption, digital signatures, and hashing.
These certificate templates in version 3 are available on Windows Server 2008 (Enterprise and Datacenter), 2008 R2 (all editions) and later.
Important : version 3 certificate templates can't be used to issue certificates via the web interface of your certification authority.
If you wanted to enroll (issue) a certificate using a certificate template in version 3, you can for example do so from the "Certificates" component that you can add in an "mmc" console.
Certificate templates in version 4 are available since Windows Server 2012 and provide new options :
Also, since Windows Server 2012, certificate template versioning has changed.
Indeed, previously, you had to select the version of the certificate template that you want to create.
But, since Windows Server 2012, this window will no longer appear and you will have to use the settings available in the "Compatibility" tab.
When you modify the version of the certification authority or the certificate recipient in the "Compatibility" tab of the new template being created, this influences the options that will or will not be available in the other tabs.
When you modify these values, a "Resulting changes" window will appear and tell you which options will be added or removed from the future certificate template.
The "These settings may not prevent earlier operating systems from using this template" message means that changing these compatibility settings will not affect the version of the certificate template.
Although duplicating a version 1 certificate template will always produce a version 2 or 3 certificate template.
On the other hand, from the moment you select "Windows Server 2012" at least for these 2 compatibility settings, a version 4 certificate will be created.
Note that the version of the schema (certificate template) is chosen when the template is created and that it will therefore not change if you try to modify this new certificate template later.
Warning : version 4 certificate templates will not appear on your certification authority's Web enrollment pages.
If you select "Windows Server 2012" for the "Certification Authority" and "Certificate Recipient" compatibility settings, a version 4 certificate template will be created.
On the other hand, if one of these settings is configured with a value prior to "Windows Server 2012", the version used (2 or 3) will depend on the cryptography provider selected in the "Encryption" tab :
Sources :
As you can see from the "Certification Authority" console, several certificate templates can be issued by default.
In other words, only these (by default) will be visible from the "Certificate Enrollment" wizard of the "mmc" console, as well as from the web interface of your certification authority (if this web interface is installed).
However, note that you will also have adequate permissions to be able to use them. Also, the web interface may not display all certificate templates (as explained previously).
To see the complete list of certificate templates available on Windows Server, right-click "Manage" on "Certificate Templates".
Note : in business, it may be interesting to remove the templates of certificates to be issued that you don't wish to use in your case.
As you can see, many certificate templates (33 in the case of Windows Server 2016) are available.
Among the widely used certificate templates, you will find :
As you can see, there are several schema versions (certificate template versions).
Most are version 1 and will be at least version 2 when you duplicate them (as explained before) and others are version 2 or 3.
As you can see, version 1 templates are not editable (unless you duplicate them to be able to edit the copy of them).
Version 2 certificate templates are editable.
Important : we recommend that you do NOT modify the pre-installed ones, but rather duplicate these if necessary to modify a copy and not the original.
Indeed, as explained previously, it happens that the manufacturer of a professional solution asks you to base yourself on an existing certificate template, then to modify specific settings on the copy of it so that the certificate is valid for this solution.
However, if you have modified the original certificate template, you may have problems in the future.
As you will see, certificate templates contain a lot of settings, as well as the permissions applied to them.
For the example, we duplicate the "Web Server" certificate template.
To begin with, starting with Windows Server 2012, you will have the option to choose the compatibility of this certificate.
Unlike previous versions of Windows Server where you had to select the certificate template version you wanted to create.
The "Show resulting changes" checkbox simply enables the display of a "Resulting changes" window listing the features added or removed according to the values selected for these compatibility settings.
Warning : as indicated previously, if you select at least "Windows Server 2012" for these 2 compatibility options, a version 4 certificate template will be created.
This means that it will not appear in the web interface of your certification authority (if applicable).
As a workaround, select "Windows Server 2008 R2" for the "Certification Authority" compatibility setting when creating this new certificate template.
In the "General" tab, you can specify :
Important : for a certificate to be renewed, 80% of its validity period must have passed.
In the example below, our certificate will be valid for 2 years (= 2 x 52 weeks = 104 weeks) and it will be renewed 6 weeks before its expiry date (so at week 98).
If you calculate 80% of 104 weeks, you will see that this corresponds to : 83.2 weeks (104 / 100 x 80).
The renewal will therefore be carried out after the 80% validity of this certificate. Which respects the Microsoft recommendation : Recommended values of validity period and renewal period.
In the "Request Handling" tab, you will find several options allowing for example :
Note that the greyed-out options in this case where an asterisk (*) is displayed correspond to the options that you can't modify because of the values selected for the compatibility settings present in the "General" tab.
To access it, you will need to increase these values.
In the "Extensions" tab, you will find several advanced options that you will only change if the manufacturer of the solution you want to secure asks you to do so or you know exactly what you are doing.
However, for the "Web Server" certificate template, you will see that the application policy used is : Server authentication.
This allows the client to authenticate the server or in other words to be sure that it connects to the correct server and not that of a hacker who would try to pretend to be the desired server.
In the "Security" tab, you will see that the "Authenticated Users" group only has a "Read" right.
This is necessary so that you can see the certificate templates available through the "mmc" console's certificate enrollment wizard or in your CA's web interface.
On the other hand, users will not be able to enroll certificates, because they don't have the right to enroll (Enroll or autoenroll).
If you select the "Domain Admins" group, you will see that domain administrators can :
Warning : you can only enroll certificates from a computer or server allowed to enroll certificates.
Which means that, by default, you will be able to enroll certificates while logged in as the domain admin on your CA, but not remotely through the mmc console (for example).
If you wish to enroll a certificate using this certificate template remotely (via the "mmc" console), you will also need to grant the "Enroll" right for the computer account from which you will attempt to enroll the certificate.
Difference between "Enroll" and "Autoenroll":
In the "Subject Name" tab, you can choose whether :
Windows Server 1/19/2024
Windows Server 9/22/2023
Windows Server 11/24/2023
Windows Server 10/20/2023
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
You must be logged in to post a comment