User Certificate Template
We’ll use essentially the same process to duplicate the default User template and modify the resulting v2 template to suit Fabrikam’s requirements.
Just as with the default WebServer, we’ll duplicate the existing User template to create the custom v2 template. We need to do this because the default User template is a v1 template, so its properties cannot be modified. One of our requirements is to enable Key Archival which requires configuring a setting in the template, so in order to do this a v2 template is required.
To create and configure our new User template:
Select the User template, right click on it, and select Duplicate Template from the context menu.
Select Windows 2003 Server, Enterprise Edition to create a v2 template.
Change the Template Display name to Fabrikam User.
Navigate to the Request Handling Tab, and select Archive subject’s encryption private key to enable key archival for this template.
Next, set permissions on the new template. Domain Users will already have Enroll permission, but since this certificate will be deployed via user Autoenrollment, Domain Users will also require Autoenroll permission. The permissions, when set properly, should look like this:
Once all the necessary changes have been made, click Ok to commit the new template and save it to Active Directory. The Fabrikam User template is now ready to be added to the CA.
|
