Create Health Certificate Templates
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
In order to issue NAP health certificates from an enterprise certification authority (CA), you must configure certificate templates. Using certificate templates with autoenrollment is also the simplest way to exempt selected computers from health checks when you use a NAP with IPsec enforcement design.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Configure health certificate templates
Use the following procedures to create a certificate template for domain-authenticated computers and, optionally, an anonymous template for non-domain-authenticated computers. If you have not enabled anonymous certificate requests from Health Registration Authority (HRA), you do not need to create an anonymous certificate template. These procedures apply to enterprise CAs only. Instructions are provided for configuring templates on a computer running Windows Server 2008 Enterprise or Windows Server 2008 R2 Enterprise. With slight modification to some procedure steps, however, you can also configure templates on a computer running Windows Server 2003 Enterprise Edition.
To configure an authenticated certificate template
On your root CA or on a subordinate enterprise NAP CA, click Start, click Run, type certtmpl.msc, and then press ENTER. The certificate templates console will open.
In the details pane, right-click Workstation Authentication, and then click Duplicate Template. This template is used because it is already configured with the client authentication application policy.
In Duplicate Template, choose Windows 2003 Server, Enterprise Edition, and then click OK.
Under Template display name, type System Health Authentication.
Clear the Publish certificate in Active Directory check box. See the following example.
Click the Extensions tab, and then click Application Policies.
Click Edit, click Add, click System Health Authentication, and then click OK twice.
To ensure that noncompliant domain member computers cannot manually enroll with health certificates, click the Security tab, click Domain Computers, and clear the check box under Allow for the Enroll permission. HRA will issue certificate requests on behalf of these computers if they are compliant with health requirements.
To allow HRA permission to enroll health certificates, click the Security tab, click Add, click Object types, select Computers and click OK.
Under Enter the object names to select, type the DNS name of your HRA server, and then click OK. Alternatively, you can type the name of a group of which the HRA server is a member. Members of the Domain Admins group are granted this permission by default.
Click the name or group you added, and then select Allow permissions for Enroll and Autoenroll.
If this certificate template will be used to issue NAP exemption certificates, click the Security tab, click Add, type IPsec NAP Exemption, and then click OK. Click IPsec NAP Exemption, click the Allow check boxes next to Enroll and Autoenroll, and then click OK.
Note
To issue exemption certificates, create a security group named IPsec NAP exemption and add computers you want to exempt from NAP health checks. For more information, see Create an IPsec NAP Exemption Group.
If this certificate template will not be used to issue NAP exemption certificates, click the Subject Name tab, select Supply in the request, click OK, and then click OK again. This setting provides the correct client name in issued certificates, but is not compatible with autoenrollment.
If you will create an anonymous health certificate template, leave the certificate templates console open for the following procedure.
To configure an anonymous certificate template
In the details pane of the certificate templates console, right-click System Health Authentication, and then click Duplicate Template. This is the template that you created in the preceding procedure.
In Duplicate Template, choose Windows 2003 Server, Enterprise Edition, and then click OK.
Under Template display name, type Anonymous System Health Authentication.
Click the Extensions tab, and then click Application Policies.
Click Edit, click Client Authentication, click Remove, and then click OK twice.
Close the certificate templates console.
See Also
Concepts
Configure an HRA Server for NAP
Publish NAP Certificate Templates