Certificate Templates Appendixes
Applies To: Windows Server 2008
This document includes the following appendixes:
Wireless Certificates
Certificate Templates Schema
References
Wireless Certificates
Windows® XP introduced native support for 802.1X and wireless networks. To enable strong security, both users and computers need authentication certificates to authenticate to a RADIUS authorization point. Microsoft Windows 2000 Server–based certification authorities (CAs) support 802.1X certificate requirements for computers with the version 1 computer certificate template and user certificates with any of the certificate templates that contain the Client Authentication enhanced key usage. If version 2 or 3 templates are used for computer autoenrollment, it is important to configure the certificate template properly. When the computer template is cloned to a new template, the administrator must ensure that the DNS name is included in the subject name of the certificate. The Windows XP and Windows Vista® wireless client computers require the DNS name of the computer to be contained in the subject for proper usage and authentication to the RADIUS server.
Important
If the DNS fully qualified domain name (FQDN) is longer than 64 characters, the name will be truncated during certificate enrollment and the name will not be valid for wireless authentication.
For more information, see Wireless Networking in Windows Vista (https://go.microsoft.com/fwlink/?LinkID=89054).
Certificate Templates Schema
The Certificate Templates container contains the certificate templates that are defined within an Active Directory® forest. Each certificate template is a member of the class pKICertificate. Each certificate template is managed by using the Certificate Templates snap-in and is stored in the following location in the Configuration naming context: CN=TemplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ForestRootDomain.
Version 1 Certificate Template Attributes
The following version 1 certificate template attributes are defined in the Active Directory schema.
| Attribute | Description |
|---|---|
Cn |
Common name of the certificate type |
distinguishedName |
Distinguished name of the certificate type |
displayName |
Display name of a certificate type |
pKIExtendedKeyUsage |
Array of extended key usage object identifiers |
pKIDefaultCSPs |
Default cryptography service provider (CSP) list; DWORD value, CSP name |
pKICriticalExtensions |
List of critical extensions |
revision |
Major version of the templates |
templateDescription |
Obsolete attribute |
flags |
General enrollment flags |
pKIDefaultKeySpec |
Specifications of the default key length and construct |
NTSecurityDescriptor |
Security descriptor name |
pKIKeyUsage |
Key usage extension |
pKIMaxIssuingDepth |
Basic constraints; DWORD value |
pKIExpirationPeriod |
Validity period; negative FILETIME value |
pKIOverlapPeriod |
Renewal period; negative FILETIME value |
Versions 2 and 3 Certificate Template Attributes
The following certificate template attributes defined in the Active Directory schema are applicable to template versions 2 and 3.
| Attribute | Description |
|---|---|
msPKI-Template-Schema-Version |
Schema version of the templates |
msPKI-Template-Minor-Revision |
Minor version of the templates |
msPKI-RA-Signature |
Number of registration authority signatures required on a request referencing this template |
msPKI-Minimal-Key-Size |
Minimal key size required |
msPKI-Template-Cert-Template-OID |
Object identifier of this template |
msPKI-Supersede-Templates |
Name of the template that this template supersedes |
msPKI-RA-Policies |
Object identifiers required for the registration authority issuer policy |
msPKI-RA-Application-Policies |
Object identifiers required for the registration authority application policy |
msPKI-Certificate-Policy |
The certificate issuer policy object identifiers that are placed in the OID_CERT_POLICIES extension by the policy module |
msPKI-Certificate-Application-Policy |
Certificate application policy object identifiers |
msPKI-Enrollment-Flag |
Enrollment flags |
msPKI-Private-Key-Flag |
Private key flags |
msPKI-Certificate-Name-Flag |
Subject name flags |
Flags
The following enrollment flags are defined in the Active Directory schema.
| Attribute | Description | |
|---|---|---|
|
CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
|
Include the Secure/Multipurpose Internet Mail Extensions (S/MIME) symmetric algorithms in the requests. |
|
|
CT_FLAG_PEND_ALL_REQUESTS
|
All certificate requests are set to pending. |
|
|
CT_FLAG_PUBLISH_TO_KRA_CONTAINER
|
Publish the certificate to the KRA container in Active Directory Domain Services (AD DS). |
|
|
CT_FLAG_PUBLISH_TO_DS
|
Publish the resultant certificate to the userCertificate property on the user object in AD DS. |
|
|
CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE
|
The autoenrollment client computer will not enroll for a new certificate if the user has a certificate previously published to the userCertificate property in AD DS with the same template name. |
|
|
CT_FLAG_AUTO_ENROLLMENT
|
This certificate is appropriate for autoenrollment. |
|
|
CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT
|
A previously issued certificate will validate subsequent enrollment requests. |
|
|
CT_FLAG_DOMAIN_AUTHENTICATION_NOT_REQUIRED
|
This flag is obsolete. |
|
|
CT_FLAG_USER_INTERACTION_REQUIRED
|
User interaction is required to enroll by using autoenrollment. |
|
|
CT_FLAG_ADD_TEMPLATE_NAME
|
This flag is obsolete. |
|
|
CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE
|
Remove an expired or revoked certificate from the personal store on the local client computer during autoenrollment. |
|
The following subject name flags are defined in the Active Directory schema.
| Attribute | Description | |
|---|---|---|
|
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
|
The enrolling application must supply the subject name in the request. |
|
|
CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
|
The enrolling application must supply the alternate subject name in the request. |
|
|
CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
|
The subject name must be the distinguished name based on the Active Directory path. |
|
|
CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME
|
The subject name must be the common name. |
|
|
CT_FLAG_SUBJECT_REQUIRE_EMAIL
|
The subject name must include the e-mail name. |
|
|
CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN
|
The subject name must include the DNS name as the common name. |
|
|
CT_FLAG_SUBJECT_ALT_REQUIRE_DNS
|
The alternate subject name must include the DNS name. |
|
|
CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL
|
The alternate subject name must include the e-mail name. |
|
|
CT_FLAG_SUBJECT_ALT_REQUIRE_UPN
|
The alternate subject name requires the user principal name (UPN). |
|
|
CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID
|
The alternate subject name requires the directory globally unique identifier (GUID) that is used by domain controllers. |
|
|
CT_FLAG_SUBJECT_ALT_REQUIRE_SPN
|
The alternate subject name requires the service principal name (SPN). |
|
The following template private key flags are defined in the Active Directory schema.
| Attribute | Description | |
|---|---|---|
|
CT_FLAG_ALLOW_PRIVATE_KEY_ARCHIVAL
|
Archival of the private key is allowed or required. |
|
|
CT_FLAG_EXPORTABLE_KEY
|
The private key is marked as exportable. |
|
The following template general flags are defined in the Active Directory schema.
| Attribute | Description | |
|---|---|---|
|
CT_FLAG_MACHINE_TYPE
|
Computer certificate type |
|
|
CT_FLAG_IS_CA
|
CA certificate type |
|
|
CT_FLAG_IS_CROSS_CA
|
Cross-certified CA certificate type |
|
|
CT_FLAG_IS_DEFAULT
|
Default certificate type that is set on all version 1 templates that cannot be changed |
|
|
CT_FLAG_IS_MODIFIED
|
The type has been modified (read-only) |
|
|
CT_MASK_SETTABLE_FLAGS
|
Obsolete |
|
References
Troubleshooting Certificate Status and Revocation (https://go.microsoft.com/fwlink/?LinkID=18753)
Windows Server 2008 Help for certificate templates