A certificate template profiles certificates based on their intended use. When requesting a certificate from a Windows 2000 enterprise certification authority (CA), the certificate requester will, depending on their access rights, be able to select from a variety of certificate types that are based on certificate templates, such as User and Code Signing. The certificate template saves users from low-level, technical decisions about the type of certificate that they need. Instead, they can rely on the judgement of their administrators and use the template name that indicates the purpose of the certificate.
The following certificate templates are included with Windows 2000 Certificate Services.
|Certificate Template Name||Certificate Purposes||Issued To People or Computers|
|Administrator||Code signing, certificate trust list (CTL) signing, encrypting file system (EFS), Secure E-mail, Client Authentication||People|
|Authenticated session||Client authentication||People|
|Basic EFS||Encrypting File System||People|
|Computer||Client authentication, server authentication||Computers|
|Code Signing||Code signing||People|
|Domain Controller||Client authentication, server authentication||Computers|
|EFS Recovery Agent||File recovery||People|
|Enrollment Agent||Certificate request agent||People|
|Enrollment Agent (Offline request)||Certificate request agent||People|
|IPSec (Offline request)||Internet Protocol security||Computers|
|IPSec||Internet Protocol security||Computers|
|Router (Offline request)||Client authentication||Computers/routers|
|Smart Card Logon||Client authentication||People|
|Smart Card User||Client authentication, secure e-mail||People|
|Subordinate certification authority||All||Computers|
|Trust List Signing||Certificate trust list signing||People|
|User||Encrypting File System, secure e-mail, client authentication||People|
|User Signature Only||Secure e-mail, client authentication||People|
|Web Server||Server authentication||Computers|
Every enterprise CA, as part of its policy settings, can issue specific certificate types based on certificate templates selected by the CA administrator. When you install a new enterprise CA, by default, only the following certificate templates can be issued: Administrator, Domain Controller, Computer, Basic EFS, EFS Recovery Agent, User, Web Server. For the procedure to add or remove certificate templates that a CA can issue, see Establish the certificate types that an enterprise certification authority can issue
Certificate templates have the following features:
Security permission set
Indicates who is allowed to receive a certificate of this type. This decision is enforced by the CA, and requires that the certificate requester securely authenticate itself to the CA. See Set security permissions and delegate control of certificate templates for procedures to set security permissions on certificate templates.
The name that is displayed in the user interface when the client or administrator selects a certificate template.
Extended Key Usages
Identifies the purpose of the certificate, such as e-mail protection, CTL signing, and so on. It is represented by Object Identifiers (OIDS).
Identifies the use of the public key in a certificate at a basic cryptographic level. Typically, it indicates whether the key may be used for a signature, key exchange, encryption, or other uses. Key Usages is stored as a bit field.
Indicates whether the resulting certificate may be used by a CA to sign lower-level certificates, which allows the construction of CA hierarchies. This value also specifies the maximum depth of the hierarchy beneath the certificate.
Default CSP List
Contains the names of the cryptographic service providers (CSPs) that may be used if the enrollment takes place outside of the normal Windows user interface. There are specific constraints on the CSPs used for certain types of certificates, and this list verifies that certificates enrolled by the system will meet those constraints. For example, EFS requires the Microsoft RSA CSP.
Include E-Mail Name
Indicates that the e-mail name of the principal should be included in the certificate, if there is one.
Machine Certificate Template
Indicates whether the certificate template is appropriate for a computer or a user.
For procedures to manage certificate templates, see Manage Certificate Templates for an Enterprise CA