Key Recovery Agent Certificate Template
Although this template was not mentioned as one of Fabrikam’s requirements, it is a requirement to issue at least one Key Recovery Agent certificate to support Key Archival. This step is only necessary if there is not another Windows Enterprise CA configured to issue certificates based on the Key Recovery Agent template.
For this example, however, let’s assume that there is not and go ahead and configure the Key Recovery Agent template. The only setting that requires modification is the permissions. We’ll assign enroll permissions to the Fabrikam KRA security group so that members of that group can enroll for a Key Recovery Agent certificate.
Open up the Key Recovery Agent certificate template by double-clicking on it and selecting the Security tab. I click Add…
Enter the name Fabrikam KRA and click the Check Names button.
After the name of the security group is resolved, click OK.
Check the Enroll permission.
Configuring the CA to issue certificates
To configure the CA to issue the desired certificate templates, I right-click on the Certificate Templates folder, select New, then select Certificate Templates to Issue from the context menu.
Then I select the certificate templates I wish to issue, by holding down the control key and selecting multiple templates, and then clicking OK.
This CA can now issue certificates based on the selected certificated templates.
Conclusion
That’s really all there is to it. While in this segment we only modified a few properties of our templates, in the vast majority of cases there should be no need for making extreme changes. The default templates should be sufficient for most implementations, and the changes we made were more to ease certificate deployment than actually create truly custom templates. Perhaps in a later blog post we’ll cover some of the more esoteric settings. However, this shouldn’t stop you from exploring on your own using the online help.
In Part IV of this series we’ll cover implementing Web Enrollment and Key Archival.
| 