Historical Content Alert

This is a historical content for Windows 2000 product and is presented for informative purposes only. All content on this page is copyrighted and owned by Microsoft.

Certificate templates

A certificate template profiles certificates based on their intended use. When requesting a certificate from a Windows 2000 enterprise certification authority (CA), the certificate requester will, depending on their access rights, be able to select from a variety of certificate types that are based on certificate templates, such as User and Code Signing. The certificate template saves users from low-level, technical decisions about the type of certificate that they need. Instead, they can rely on the judgement of their administrators and use the template name that indicates the purpose of the certificate.

The following certificate templates are included with Windows 2000 Certificate Services.

    Certificate Template Name Certificate Purposes Issued To People or Computers
    Administrator Code signing, certificate trust list (CTL) signing, encrypting file system (EFS), Secure E-mail, Client Authentication People
    Authenticated session Client authentication People
    Basic EFS Encrypting File System People
    Computer Client authentication, server authentication Computers
    Code Signing Code signing People
    Domain Controller Client authentication, server authentication Computers
    EFS Recovery Agent File recovery People
    Enrollment Agent Certificate request agent People
    Enrollment Agent (Offline request) Certificate request agent People
    IPSec (Offline request) Internet Protocol security Computers
    IPSec Internet Protocol security Computers
    Router (Offline request) Client authentication Computers/routers
    Smart Card Logon Client authentication People
    Smart Card User Client authentication, secure e-mail People
    Subordinate certification authority All Computers
    Trust List Signing Certificate trust list signing People
    User Encrypting File System, secure e-mail, client authentication People
    User Signature Only Secure e-mail, client authentication People
    Web Server Server authentication Computers

Every enterprise CA, as part of its policy settings, can issue specific certificate types based on certificate templates selected by the CA administrator. When you install a new enterprise CA, by default, only the following certificate templates can be issued: Administrator, Domain Controller, Computer, Basic EFS, EFS Recovery Agent, User, Web Server. For the procedure to add or remove certificate templates that a CA can issue, see Establish the certificate types that an enterprise certification authority can issue

Certificate templates have the following features:

  • Security permission set

    Indicates who is allowed to receive a certificate of this type. This decision is enforced by the CA, and requires that the certificate requester securely authenticate itself to the CA. See Set security permissions and delegate control of certificate templates for procedures to set security permissions on certificate templates.

  • Display Name

    The name that is displayed in the user interface when the client or administrator selects a certificate template.

  • Extended Key Usages

    Identifies the purpose of the certificate, such as e-mail protection, CTL signing, and so on. It is represented by Object Identifiers (OIDS).

  • Key Usages

    Identifies the use of the public key in a certificate at a basic cryptographic level. Typically, it indicates whether the key may be used for a signature, key exchange, encryption, or other uses. Key Usages is stored as a bit field.

  • Basic Constraints

    Indicates whether the resulting certificate may be used by a CA to sign lower-level certificates, which allows the construction of CA hierarchies. This value also specifies the maximum depth of the hierarchy beneath the certificate.

  • Default CSP List

    Contains the names of the cryptographic service providers (CSPs) that may be used if the enrollment takes place outside of the normal Windows user interface. There are specific constraints on the CSPs used for certain types of certificates, and this list verifies that certificates enrolled by the system will meet those constraints. For example, EFS requires the Microsoft RSA CSP.

  • Include E-Mail Name

    Indicates that the e-mail name of the principal should be included in the certificate, if there is one.

  • Machine Certificate Template

    Indicates whether the certificate template is appropriate for a computer or a user.

For procedures to manage certificate templates, see Manage Certificate Templates for an Enterprise CA

Share this article: