![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
151 questions
Hi ahkenho,
Thank you for posting in the Microsoft Community Forums.
- Open the Certificate Templates Console
First, you need to log in as an administrator to the server where AD CS (Active Directory Certificate Services) is installed and open the Certificate Templates Console. This can be done by running the certtmpl.msc command.
- Selecting or creating a template
In the Certificate Templates console, you can select an existing template to modify, or create a completely new template. If you want to maintain the integrity of an existing template, it is recommended that you copy an existing template and modify it.
- Editing Template Properties
After selecting a template, right-click on it and select “Properties” to edit the properties of the template. In the Properties dialog box, you need to focus on the following key settings:
Application Policy
Key Usage: Ensure that both “Key Encryption” and “Key Protocol” are checked. This allows certificates to be used for encrypting and decrypting data, as well as protocols such as TLS/SSL.
Extensions
Enhanced Key Usage (EKU): Add or confirm relevant EKUs such as “Client Authentication”, “Server Authentication”, etc. as needed.
Security
Publish to CA: Ensure that the template is set to publish to CA so that CA can issue certificates based on the template.
- Configure other related settings
In addition to the above key settings, you also need to configure other related settings according to the actual needs, such as the certificate validity period, renewal period, certificate issuance requirements, and so on.
- Save and apply the template
After finishing editing the template, save the changes and apply the template. This may take some time as the changes need to be recognized and applied by the AD CS service.
- Verify the template configuration
Finally, verify that the template configuration is correct. You can try requesting a certificate based on this template and check that the certificate's attributes and uses are as expected.
Caution.
Before modifying a template, it is recommended that you back up the original template just in case.
The simultaneous enabling of key agreement and key encryption may be limited by specific application scenarios and security policies. Make sure that your configuration complies with your organization's security standards and best practices.
If you are not familiar with the configuration of certificate templates, it is recommended that you consult an IT professional with relevant experience or refer to Microsoft's official documentation and guidelines.
Best regards
Neuvi
