Share via


Creating a certificate template that includes the Microsoft Platform Crypto Provider on a CA with no TPM

Applies to Windows Server 2012 R2 Preview, Windows Server 2012, Windows 8, and Windows 8.1 Preview

Windows 8 and Windows Server 2012 Certificate Authority support the use of Trusted Platform Modules (TPMs) to secure certificate keys. A key storage provider (KSP)
named the “Microsoft Platform Crypto Provider” is available for use in which TPMs are provisioned in Windows 8 and Windows Server 2012 computers.

In order to utilize this capability, a certificate template must be configured to use the Microsoft Platform Crypto Provider KSP. This can be done in the template UI by switching to the Cryptography tab and select the “Key Storage Provider” then select the TPM KSP. The configuration would look like this:

We can also select the software KSP, in that case client will try to use TPM KSP first, if that is not available or does not work, the client will move on to use software KSP.

When an administrator is configuring the template, the KSP is enumerated from local computer. The KSP “Microsoft Platform Crypto Provider” is only shown if a TPM is available and properly provisioned. If the administrator needs to configure the KSP using a computer that does not have a TPM installed, the following workaround can be used:

  1. Ensure that you are logged on as an Enterprise Administrator and Certificate Administrator to your certification authority.
  2. Open the Certificate Templates Console (certtmpl.msc).
  3. Duplicate a certificate template, such as Workstation Authentication. 
  4. On the Compatibility tab, ensure that Certification Authority is set to Windows Server 2012 and Certificate recipient is configured for Windows 8 / Windows Server 2012.
  5. In the General tab, ensure you give the certificate template a unique name.
  6. On the Cryptography tab, in the Provider Category, configure Key Storage Provider.
  7. Under Choose which cryptographic providers can be used for requests, select Requests must use one of the following providers.
  8. In Providers, select Microsoft Software Key Storage Provider.
  9. Configure the remaining tabs of the certificate template to meet your certificate issuance requirements, and then click OK
  10. From a command prompt, dump the certificate to a text file. You can use the following command: certutil –dstemplate MyTemplate > MyTemplate**.txt**
    • Note: Substitute the actual name of the certificate template for MyTemplate.
  11. Open the file in a text editor, such as Notepad (notepad MyTemplate**.txt**)
  12. The file will show the template content, including the KSP information. An example of a certutil dump is shown below. Edit the file:
    • Locate the line that reads pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider", change Microsoft Software Key Storage Provider to Microsoft Platform Crypto Provider
    • Delete the last line of output from the file that reads CertUtil: -dsTemplate command completed successfully.
    • Save the file
  13. Use certutil to upload the content to the AD DS Configuration container. The command is certutil -dsaddtemplate MyTemplate**.txt**
  14. Run Certutil -pulse to make sure the template cache in local computer is updated.
  15. In the Certificate Templates Console, right-click the template you created and then click Properties.
  16. In the Cryptography tab, ensure that under Providers that Microsoft Platform Crypto Provider appears .

Certutil dump of a template named User_V3:

[User_V3]
    objectClass = "top", "pKICertificateTemplate"
    cn = "User_V3"
    distinguishedName = "CN=User_V3,CN=Certificate Templates,CN=Public Key ervices,CN=Services,CN=Configuration,DC=MyDC,DC=com"

    instanceType = "4"
    whenCreated = "20120714222057.0Z"
    whenChanged = "20121008225126.0Z"
    displayName = "User_V3"
    uSNCreated = "26796"
    uSNChanged = "97640"
    showInAdvancedViewOnly = "TRUE"
    name = "User_V3"
    objectGUID = "608628c3-2717-451c-892b-b084ff3978d8"
    flags = "131642"
    revision = "100"
    objectCategory = "CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=d9-1351D0423,DC=nttest,DC=microsoft,DC=com"
    pKIDefaultKeySpec = "1"
    pKIKeyUsage = "a0"
    pKIMaxIssuingDepth = "0"
    pKICriticalExtensions = "2.5.29.15"
    pKIExpirationPeriod =  "1 Years"
    pKIOverlapPeriod =  "6 Weeks"
    pKIExtendedKeyUsage = "1.3.6.1.4.1.311.10.3.4", "1.3.6.1.5.5.7.3.4", "1.3.6.1.5.5.7.3.2"
    pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"
    dSCorePropagationData = "20120714222100.0Z", "20120714222100.0Z", "16010101000000.0Z"
    msPKI-RA-Signature = "0"
    msPKI-Enrollment-Flag = "41"
    msPKI-Private-Key-Flag = "33685520"
    msPKI-Certificate-Name-Flag = "-1509949440"
    msPKI-Minimal-Key-Size = "2048"
    msPKI-Template-Schema-Version = "3"
    msPKI-Template-Minor-Revision = "3"
    msPKI-Cert-Template-OID = "1.3.6.1.4.1.311.21.8.7686780.5497180.1657228.10716309.12491915.247.13620649.13495913"
    msPKI-Certificate-Application-Policy = "1.3.6.1.4.1.311.10.3.4", "1.3.6.1.5.5.7.3.4", "1.3.6.1.5.5.7.3.2"
    msPKI-RA-Application-Policies = "msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-Key-Usage`DWORD`16777215`msPKI-Symmetric-Algorithm`PZPWSTR`3DES`msPKI-Symmetric-Key-Length`DWORD`168`"

[TemplateList]

    Template = "User_V3"

CertUtil: -dsTemplate command completed successfully.