PKI CA – Manage certificate templates

Certificate templates are a feature available on enterprise CA. Certificates templates enable to preconfigure certificate settings for enrollment (or auto enrollment). Enrollment is the process to obtain a certificate signed by the CA. The client that has obtained a certificate by enrollment is called the enrollee.

I will show you how to create a certificate template and configure the CA to respond to enrollment request. In this example I will create a certificate template for WinRM HTTPS using.
In a multi-domain forest, you have to make an extra configuration to manage certificate templates. By default only enterprise admins account or domain admins of the root domain can manage certificate templates, but this is not a requirement. On my side I create always a group where members can manage the CA and templates.

So open an adsiedit.msc console and open a connexion to configuration partition of your domain. Navigate to CN=Public Key Services,CN=Services,CN=Configuration,DC=MY,DC=Domain. Edit properties of the container Certificate Templates and open security tab as below. Add group or user you want to manage certificate templates and add full control permissions.

Add the same permissions to the OID container as below.

Now accounts in GG-CAAdmins can manage certificate templates even if they are not member of enterprise admins or domain admins group.

Create certificate template

Many settings can be modified in certificate templates. I will show you only basic settings.
To manage certificate templates, open a certification authority console and right click on Certificate Templates and select Manage:

In the new console, all certificate templates that are stored in the domain are displayed. This is predefined certificate templates and you can’t delete them. To create a new certificate template you have to duplicate a predefined certificate template and bring modification related to your needs.

So for my example, I want to create a certificate for WinRM over HTTPS. So right click on the Web Server template and select Duplicate template.

The compatibility tab asks you to choose a version for certification authority and certificate recipient. Each version add or remove features in certificates. You should choose compatibility settings according to your certificate using. For example, Hyper-V replica certificates need these parameters set to Windows Server 2012.

Next choose a name for your template. I check the box Publish certificate in Active Directory to sequester certificates in Active Directory.

Next you have some parameters regarding the private key. You can choose the private key usage (signature, encryption or both) or for example if it is exportable. For Hyper-V replica (same example :p), the private key must be exportable to use the same certificate on each host.

On cryptography tab you can choose the minimum key size and the CSP (Cryptographic Service Provider). CSP is a library that contains algorithms to encrypt or unencrypt information.

Next I add a group to manage this template. I use again GG-CAAdmins group.

Because my certificate will be used by all computers of my domain, I add the Domain Computers group with enroll and autoenroll permissions.

On extensions tab, you can choose the certificate usage (Server authentication, client authentication etc.).

To finish, on the subject name tab you can choose how the certificate subject name is filled. You have two options: manually (Supply in the request) or automatically with Active Directory information (Build from this Active Directory information). I choose to use the DNS name as subject name. You can add also alternative subject name.

When the certificate template is set, click on Apply and it will be published in Active Directory.

Configure the CA

Now we have to say to CA that it can issue certificates from WinRM template. For that open the certification authority console and right click on Certificate Templates. Select New and Certificate Template to issue.

Select the WinRM template and click ok.

Now the CA can issue certificate requested from WinRM template.

Certificate managers

A certificate manager can approve certificate enrollment and revocation requests, issue certificates, and manage certificates. This role can be configured by assigning a user or group the Issue and Manage Certificatespermission.
When you assign this permission to a user or group, you can further refine their ability to manage certificates by group and by certificate template. For example, you might want to implement a restriction that they can only approve requests or revoke smart card logon certificates for users in a certain office or organizational unit that is the basis for a security group.
This restriction is based on a subset of the certificate templates enabled for the certification authority (CA) and the user groups that have Enroll permissions for that certificate template from that CA.
You must be a CA administrator or a member of Enterprise Admins, or equivalent, to complete this procedure.

To configure certificate manager restrictions for a CA

  1. Open the Certification Authority snap-in, and right-click the name of the CA.
  2. Click Properties, and then click the Security tab.
  3. Verify that the user or group that you have selected has Issue and Manage Certificates permission. If they do not yet have this permission, select the Allow check box, and then click Apply.
  4. Click the Certificate Managers tab.
  5. Click Restrict certificate managers, and verify that the name of the group or user is displayed.
  6. Under Certificate Templates, click Add, select the template for the certificates that you want this user or group to manage, and then click OK. Repeat this step until you have selected all certificate templates that you want to allow this certificate manager to manage.
  7. Under Permissions, click Add, type the name of the client for whom you want the certificate manager to manage the defined certificate types, and then click OK.
  8. If you want to block the certificate manager from managing certificates for a specific user, computer, or group, under Permissions, select this user, computer, or group, and click Deny.
  9. When you are finished configuring certificate manager restrictions, click OK or Apply.