Default Certificate Templates
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Default certificate templates
Windows Server 2003 family certification authorities come with a number of preconfigured certificate templates that are designed to meet the needs of most organizations. These templates are:
| Name | Description | Key Usage | Subject Type | Published to Active Directory? | Template Version |
|---|---|---|---|---|---|
Administrator |
Allows trust list signing and user authentication |
Signature and encryption |
User |
Yes |
1 |
Authenticated Session |
Allows subject to authenticate to a Web server |
Signature |
User |
No |
1 |
Basic EFS |
Used by Encrypting File System (EFS) to encrypt data |
Encryption |
User |
Yes |
1 |
CA Exchange |
Used to store keys that are configured for private key archival |
Encryption |
Computer |
No |
2 |
CEP Encryption |
Allows the holder to act as a registration authority (RA) for simple certificate enrollment protocol (SCEP) requests |
Encryption |
Computer |
No |
1 |
Code Signing |
Used to digitally sign software |
Signature |
User |
No |
1 |
Computer |
Allows a computer to authenticate itself on the network |
Signature and encryption |
Computer |
No |
1 |
Cross-Certification Authority |
Used for cross-certification and qualified subordination. For more information, see Qualified subordination overview. |
Signature |
CrossCA |
Yes |
2 |
Directory E-mail Replication |
Used to replicate e-mail within Active Directory |
Signature and encryption |
DirEmailRep |
Yes |
2 |
Domain Controller |
All-purpose certificates used by domain controllers |
Signature and encryption |
DirEmailRep |
Yes |
1 |
Domain Controller Authentication |
Used to authenticate Active Directory computers and users |
Signature and encryption |
Computer |
No |
2 |
EFS Recovery Agent |
Allows the subject to decrypt files previously encrypted with EFS |
Encryption |
User |
No |
1 |
Enrollment Agent |
Used to request certificates on behalf of another subject |
Signature |
User |
No |
1 |
Enrollment Agent (Computer) |
Used to request certificates on behalf of another computer subject |
Signature |
Computer |
No |
1 |
Exchange Enrollment Agent (Offline request) |
Used to request certificates on behalf of another subject and supply the subject name in the request |
Signature |
User |
No |
1 |
Exchange Signature Only |
Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for digitally signing e-mail |
Signature |
User |
No |
1 |
Exchange User |
Used by Microsoft Exchange Key Management Service to issue certificates to Exchange users for encrypting email |
Encryption |
User |
Yes |
1 |
IPSEC |
Used by IP Security (IPSec) to digitally sign, encrypt, and decrypt network communication |
Signature and encryption |
Computer |
No |
1 |
IPSEC (Offline request) |
Used by IP Security (IPSec) to digitally sign, encrypt and decrypt network communication when the subject name is supplied in the request |
Signature and encryption |
Computer |
No |
1 |
Key Recovery Agent |
Recovers private keys that are archived on the certification authority. For more information, see Key archival and recovery. |
Encryption |
KRA |
No |
2 |
RAS and IAS Server |
Enables RAS and IAS servers to authenticate their identity to other computers |
Signature and Encryption |
Computer |
No |
2 |
Root Certification Authority |
Used to prove the identity of the root certification authority |
Signature |
CA |
No |
1 |
Router (Offline request) |
Used by a router when requested through Simple Certificate Enrollment Protocol (SCEP) from a certification authority that holds a CEP Encryption certificate |
Signature and encryption |
Computer |
No |
1 |
Smartcard Logon |
Allows the holder to authenticate using a smart card |
Signature and encryption |
User |
No |
1 |
Smartcard User |
Allows the holder to authenticate and protect e-mail using a smart card |
Signature and encryption |
User |
Yes |
1 |
Subordinate Certification Authority |
Used to prove the identity of the root certification authority. It is issued by the parent or root certification authority |
Signature |
CA |
No |
1 |
Trust List Signing |
Allows the holder to digitally sign a trust list |
Signature |
User |
No |
1 |
User |
Used by users for e-mail, EFS and client authentication |
Signature and encryption |
User |
Yes |
1 |
User Signature Only |
Allows users to digitally sign data |
Signature |
User |
No |
1 |
Web Server |
Proves the identity of a Web server |
Signature and encryption |
Computer |
No |
1 |
Workstation Authentication |
Enables client computers to authenticate their identity to servers |
Signature and encryption |
Computer |
No |
2 |
For more information on certificate templates, see Certificate Templates. For more information on key usage, see Key usage. For more information on template versions and publishing to Active Directory, see Using Certificate Templates.