How To Publish A Certificate Template To The Ca Website

In a previous article, I showed you lot how to build a fully-functional two-tier PKI surroundings. If yous followed it all the style to the end and stopped, you lot had the nearly bones possible two-tier Windows Public Primal Infrastructure (PKI) arrangement. Now, I want to move you forward by showing yous how to create and manage document templates. Certificate templates add together a great deal of flexibility to your PKI surround and help to greatly reduce management overhead.

I used "SSL" in the title considering most people associate that label with certificates. For the rest of the article, I will use the more apt "PKI" label.

Why Do I Need PKI Document Templates?

I feel that document templates brand more sense when you have a glimpse of life without them. Pay a quick visit to the IETF'due south documentation on RFC 5280. Ringlet downwards to section 4. Skim department 4, taking detect of the rules around the various object identifiers (OIDs). At least a subset of these rules applies to every x509-compliant certificate (or, more correctly, a base of operations dominion set applies to all and the residual are optional). All the seemingly small things that we business ourselves with, such every bit ensuring that a spider web site encrypts client traffic, come up from an . If you want, y'all could hand-design a perfect combination of identifiers. It would use to i usage. You would so need to modify it or rebuild it for every other utilize.

The OpenSSL tool solves this problem with sections in its cnf files. With research and exercise, you tin can use them to manage document issuance effectively. You can follow the link in the introductory paragraph to see the style that I used them.

Microsoft built out a graphical organization as their solution. I experience that it does mask away some functionality and perchance makes some things more difficult than necessary. Even so, it essentially eases the overall process. Most uses do not crave in-depth knowledge of the tool or certificates, and information technology has pre-divers templates that y'all can use immediately or re-create. With feel and research, you can design certificates for advanced uses. Once you take the templates, requesting and issuing certificates based on them is piddling.

The Basics of Windows PKI Certificate Templates

You follow three basic steps to make a Windows PKI Certificate Template fix to use:

Select or create a template to deploy.
Configure settings and security on the template to control its usage and enrollment scope.
Make the certificate template available for assignment on your document server(s)

If y'all desire to configure the document, exercise that later on step 1. Nosotros'll walk through each of these steps in more item. Once you have an understanding of the process, you just demand to remember these iii steps.

Notes : These directions were written using a system congenital from the instructions in the article linked in the introductory paragraph. You do non necessarily need the same design, only you lot may need to adjust your procedure. I doubt much of this volition piece of work if your certification authority is not Active Directory-integrated (Enterprise CA vs. Stand-lonely CA).

Selecting or Creating a PKI Certificate

Your initial goal is to select or create a template with the necessary configuration to issue the kind of certificate that you want. For this walkthrough, nosotros volition create a certificate template that you tin can use with regular computers via autoenroll.

Start on a organisation with theCertification Authority Direction Tools installed. If you run a GUI installation of Windows equally your certificate server, you lot probable installed those tools along with the Certification Say-so function. Otherwise, y'all will find it every bit an installable role in the standard Remote Server Administration Tools parcel.

Every bit a domain or enterprise administrator, open theCertification Say-so tool underWindows Authoritative Tools.
If not running locally on the certification authorization, correct-click onCertification Authority and clickRetarget Certification Authority. Connect to the target certificate authority.
Expand the tree in the left pane. Correct-clickCertificate Templates. ClickManage. That will open theCertificate Templates Panel. (you lot tin add this console directly to MMC; since you rarely work with templates separately from the authorization, it makes sense to start there).

If you take non seen this screen earlier, I recommend that y'all take some fourth dimension to familiarize yourself. Take care that yous practise not make changes to any of the default templates at this time. Some things to note:

If you look at the full text of the root object (the only item in the left pane), yous'll run into that it connected to a domain controller. Domain controllers hold the templates, non CAs.
Each of these certificate templates serves a purpose that Microsoft divers, but they often apply regular OIDs.
Yous can right click on the root node and clickView Object Identifiers to run into the Microsoft-specific OIDs. Copying 1 to the clipboard allows you to use that OID in non-Microsoft contexts.
Double-click on whatsoever template to view its backdrop. Compare templates to each other, especially those that use different schema versions.
The "Compatibility" tab shows unlike Windows versions. Version compatibility primarily controls which features will exist made available to certificates based on this template. If y'all open one of the oldest document templates (schema 1), y'all volition run into that it has fewer tabs than newer templates. In other cases, you tin can admission the tabs only not alter i or more settings due to a compatibility block. If y'all go outProve resulting changes checked on theCompatibility tab, then switch through the different choices, information technology will show you the differences.
You lot cannot create an all-new template. Y'all tin can only duplicate existing ones.

Security Settings for Certificate Templates

Certificate templates have a great many settings. I think that you can figure out most of them hands plenty. You can find details on nearly of the rest through some Internet searches. I practice desire to spend some time going over the security settings, though. Let'southward take a await at the security tab:

Sironic Testing Workstation Properties

I want to draw your attention to two permissions in particular:Enroll andAutoenroll.

Enroll : Accounts with the enroll permission can apply whatsoever available method to request certificates from CAs that host this template. The exact methods vary, sometimes by options assault the document template, but include MMC, certreq.exe, and the request web site.
Autoenroll : Accounts will request all available certificates during grouping policy refresh. If they have autoenroll permissions on a certificate and it falls within policy telescopic, the CA will effect the certificate.

I volition explain the request and enroll procedures in a forthcoming article. If you lot want to skip ahead to autoenroll, just recall that it requires a combination of permissions on the template and an applied group policy that enables autoenroll.

Impact of Certificate Template Subject Name Choices

On any certificate template that uses a schema version other than i, switch to the Subject Name tab:

Sironic Testing Web Server Properties

You have ii basic choices,Supply in the asking orBuild from this Active Directory information.

Supply in the asking : If you choose this, you volition be able to manually specify the subject name when requesting certificates. This is the just way you tin can request a certificate using the old web enrollment method. This presents a web page where users can enter in certificate asking data by mitt or upload a certificate signing request. If yous select it, you should besides set up the CA document managing director approving option on the Issuance Requirements tab. That requires you to manually corroborate all requests for this template. Otherwise, you have no control on who can request the certificate. You will not be able to use autoenroll to issue new certificates with any template with this option. Furthermore, the web enrollment page has been deprecated; it still works, albeit with multiple issues. Development was halted some time ago. I recommend that y'all avert using that characteristic. However, the "supply" option still has uses. We'll review them afterward.
Build from this Agile Directory data :This selection allows for all types of enrollment except the aforementioned web enrollment. The to a higher place screenshot shows the default and recommended settings for a certificate issued to a computer. I recommend that you prefer this option.

Creating PKI Certificate Templates

Permit'south become back to our walkthrough. We want to create a certificate template to employ on regular domain computers. If you saw the template list, and so you might have noticed that it already contains aWorkstation Authentication template. If you open up its property sheets, you'll find that you can modify it. I recommend that you avoid any changes to whatever default template. The Certification Authorities use many of them. Editing 1 permanently impacts whatsoever hereafter use, including renewals. You cannot undo those changes.

Therefore, I recommend that you alwaysduplicate an existing template and way it into a template that specifically suits your needs. I'll show a general introduction to that procedure:

In the Document Templates Console , right-click the Workstation Authentication template and click Duplicate Template .
That activeness volition immediately open a ready of property sheets to configure the newly-copied template. Start past switching to the Full general tab. Your Template display name will say Copy of Workstation Authentication. Change it to something that suits you. If desired, you may also alter the validity period of the document from its default of 1 yr. I practice not change Renewal period . It establishes a window prior to expiration in which autoenroll volition renew. Since we're using an Agile Directory-integrated certification authority, select Publish certificate in Active Directory so y'all tin can brand it available for enrollment.
Switch to the Compatibility tab. The Show resulting changes checkbox will pop-up a dialog every time you alter either of the compatibility settings. The Certification Authority setting governs which Windows Server versions running the Certification Authorisation office will exist able to use all CA-related settings on the certificate template. The Certificate recipient setting does the aforementioned for systems that asking a certificate from the CA. Note that the compatibility settings have no impact on the systems that will communicate with certified machines nor volition they necessarily prevent a down-level system from having a document issued.
Switch to the Bailiwick Name tab. Because we're making a certificate for autoenroll and will non ever try to use a custom bailiwick name, I chose Build from this Agile Directory data .
Switch to the Security tab. I want to make this bachelor to any computer in my domain, so I added that object to the ACL and granted it Enroll and Autoenroll . If I wanted to let regular users enroll their computers, I could add matching security group(s) and grant them Enroll .

For typical usage, that's enough. Look through the other tabs, though. Most importantly:

Extensions : Utilise this tab if you need to control what the certification authorization will authorize.Application Policies control the document's authorized uses. If you lot're going through the walkthrough, and then this will have Server Hallmark and Client Authentication . Typical spider web server certificates utilise only Server Hallmark . Bank check the other items on this property sheet.
Asking handling : Use this to control a few aspects of issued certificates. I sometimes apply the Allow individual central to be exported pick, for instance.
Issuance Requirements : Because of our subject proper noun option in step 4, we don't need to do annihilation here. Had we chosen the supplied option, anyone with sufficient permissions could request a document and use any discipline names they like. Personally, I use the Security tab to limit who has access fifty-fifty in those cases. You can utilize the options on the Issuance Requirements tab to enact tighter control.

Once you accept made settings to your liking, clickOK. Your new document template will now appear in the list.

How to Make a Certificate Template Bachelor on Certification Authorities

Once you have a template created, return to the Certification Authority MMC. Correct-click theDocument Templates node, hover overNew, and clickCertificate Template to Issue.

Now you merely need to select your newly created template.

Your certificate template will now appear in the CA'due south template list. If y'all have other CAs that should distribute certificates from this template, repeat this activity on them.

Differences for Manually-Named PKI Certificates

When using a certificate created using the above walk-through, it will always have a subject proper noun that uses the requesting business relationship's Active Directory information. In some cases, y'all volition desire to override the subject proper name. Two of those reasons:

Web servers: Yous may desire to command the data that a spider web server exposes in its certificate, especially when information technology lives in a farm or when it presents the document to clients exterior of your domain.
Proxy requesting: You might employ a tool on a domain-joined system to request a certificate for a non-domain-joined organization. Or, y'all might use a single MMC session to request multiple certificates for unlike systems. You definitely don't desire invalid data in your document.

I mentioned the solution in a couple of places above, but I want to telephone call it out directly for skimmers. Youmust use theSupply in the request choice on theDiscipline Name tab. Initial issuance of these certificates cannot occur via autoenroll. Nonetheless, one time a organization has a certificate with this setting, it tin use autoenroll for renewalsif yous likewise enable theApply subject information from existing certificates autoenrollment renewal requests. If you use a lower compatibility setting, you may non take that pick available.

Using theSupply in the request option does nowadays 1 potential problem: anyone that can request a certificate based on this template can put annihilation they like into the subject area proper name field. You tin can utilize settings on theIssuance Requirements tab to keep that from getting out of hand. The easiest control is to chequeCA document manager approving. That will crusade the CA to hold document requests from this template inAwaiting Requests. You will need to manually approve or decline them.

Maintaining Document Templates

Once you accept fabricated a template available, even after you have issued certificates from it, you tin can still modify the template. CAs that take already fabricated the template bachelor will automatically use the modifications on new certificates. You have a bit of piece of work to do if you desire to supplant previously-issued document.

For auto-enrolled certificates: InCertificate Templates Console, right-click the newly modified template and clickReenroll All Certificate Holders. This action will update the major version number of the certificate template. Systems that hold this certificate and see the criteria for autoenroll volition replace their existing document with the new version at the side by side policy refresh.

For manually-enrolled certificates, you will demand to echo the enrollment process.

How to Verify a Document's Version

If you want to cheque that a system has a new certificate, access its local certificate list.:

TheExpiration Date probably gives away the change. Just, you tin can besides check the version more conclusively. Double-click the certificate, or right-click it and clickOpen. Switch to theDetails tab and click theCertificate Template Information line detail:

The template proper noun and version numbers should match what y'all run across in theCertificate Templates Console:

Next Steps

This concludes my instructions on creating, deploying, and managing PKI certificate templates in a Windows environment. Spend some time learning your mode effectually these tools. Set upward some templates and acquaint yourself with the settings. Allow me know if I did non make anything articulate enough.

I however have not shown yous how to request and issue certificates in this arrangement. I will write that article next.