Windows Server 2019 – Creating a new certificate template

How to install docker on windows 10

Enough talk, it’s time to get some work done. Now that our CA role has been installed, let’s make it do something! The purpose of a certificate server is to issue certificates, right? So, shall we do that? Not so fast. When you issue a certificate from a CA server to a device or user, you are not choosing which certificate you want to deploy; rather you are choosing which certificate template you want to utilize in order to deploy a certificate that is based upon the settings configured inside that template. Certificate templates are sort of like recipes for cooking. On the CA server, you build out your templates and include all of the particular ingredients, or settings, that you want to be incorporated into your final certificate. Then, when the users or computers come to request a certificate from the CA server, they are sort of baking a certificate onto their system by telling the CA which template recipe to follow when building that certificate. Certificates relating to food? Maybe that’s a stretch, but it’s getting pretty late at night and that’s the first thing that came to mind.

When you walk through the steps to configure your first CA server, it comes with some pre-built certificate templates right in the console. In fact, one of those templates, called Computer, is typically preconfigured to the point where, if a client computer were to reach out and request a computer certificate from your new CA, it would be able to successfully issue one. However, where is the fun in using prebuilt templates and certificates? I would rather build my own template so that I can specify the particular configurations and settings inside that template. This way, I know exactly what settings are contained within my certificates that will ultimately be issued to my computers in the network.

Once again, we need to launch the proper administrative console in order to do our work. Inside the Tools menu of Server Manager, click on Certification Authority. Once inside, you can expand the name of your certification authority and see some folders, including one on the bottom called Certificate Templates. If you click on this folder, you will see a list of the templates that are currently built into our CA server. Since we do not want to utilize one of these pre-existing templates, it is common sense that we would try to right-click in here and create a new template, but this is actually not the correct place to build a new template. The reason why new certificate templates are not built right from this screen must be above my pay grade, because it seems silly that it isn’t, but, in order to get into a second screen where we need to go to actually manage and modify our templates, you need to right-click on the Certificate Templates folder, and then choose Manage:

Now you see a much more comprehensive list of templates, including a number of them you couldn’t view on the first screen. In order to build a new template, what we want to do is find a pre-existing template that functions similarly to the purpose that we want our new certificate template to serve. Computer templates are becoming commonly issued across many organizations due to more and more technologies requiring these certificates to exist, yet, as we said, we don’t want to utilize that baked-in template, which is simply called Computer, because we want our template to have a more specific name and maybe we want the certificate’s validity period to be longer than the default settings. Right-click on the built-in Computer template, and click on Duplicate Template. This opens the Properties screen for our new template, from which we first want to give our new template a unique name inside the General tab.

In an upcoming chapter, we will discuss DirectAccess, the remote access technology that will be used in our environment. A good implementation of DirectAccess includes machine certificates being issued to all of the mobile client workstations, so we will plan to make use of this new template for those purposes. The General tab is also the place where we get to define our validity period for this certificate, which we will set to 2 years:

If the certificates that you want to issue require any additional setting changes, you can flip through the available tabs inside properties and make the necessary adjustments. For our example, another setting I will change is inside the Subject Name tab. I want my new certificates to have a subject name that matches the common name of the computer where it is being issued, so I have chosen Common name from the drop-down list:

We have one more tab to visit, and this is something you should check on every certificate template that you build: the Security tab. We want to check here to make sure that the security permissions for this template are set in a way that allows the certificate to be issued to the users or computers that we desire, and at the same time make sure that the template’s security settings are not too loose, creating a situation where someone who doesn’t need it might be able to get a certificate. For our example, I plan to issue these DirectAccess certificates to all of the computers in the domain, because the kind of machine certificate I have created could be used for general IPsec authentications as well, which I may someday configure.

So, I am just making sure that I have Domain Computers listed in the Security tab, and that they are set for Read and Enroll permissions, so that any computer that is joined to my domain will have the option of requesting a new certificate based on my new template:

Since that is everything I need inside my new certificate, I simply click on OK, and my new certificate template is now included in the list of templates on my CA server.

Comments are closed.