Changing Cert template in Win2k3 Enterprise PKI CA

TheMSsForum.com: The Microsoft Software Forum

Greetings,
I wasn't sure where to post this as there wasn't a PKI/MS-CA forum. But
here goes:

We deployed Enterprise CA on Windows 2000 and recently upgraded the domain
to Windows 2003 Enterprise (schema, native mode, etc.)

The User Certificates issued are still based on the v1 template "user". we
want to change the certificate lifespan from 1 to 4 years. The same with
computer certificates.

Can I replace the v1 user template with a v2 template so that is editable?
Can I edit the v1 template somehow? The v1 templates are mostly greyed out
in CertTempl.msc


Help.
Mike
--
---
Mike Ruiz
Network and Enterprise Systems Engineer
Hobart and William Smith Colleges
Top

Re: Changing Cert template in Win2k3 Enterprise PKI CA by Brian

Brian
Fri Sep 16 14:00:27 CDT 2005

In article <B1F02275-610F-4BD3-9997-2E504109756F@microsoft.com>,
MikeRuiz@discussions.microsoft.com says...
>
> Can I replace the v1 user template with a v2 template so that is editable?
> Can I edit the v1 template somehow? The v1 templates are mostly greyed out
> in CertTempl.msc
>
>
You must duplicate the template, and then make modifications to the
newly created version 2 certificate template. You can then set the new
template to Supersede the previous template.

For more information, see my whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
ies/security/ws03crtm.mspx

Brian
Top

Re: Changing Cert template in Win2k3 Enterprise PKI CA by MikeRuiz

MikeRuiz
Fri Sep 16 14:18:02 CDT 2005

As an additional update,
I tried the supersede template option and:

1) The web interface still issues 1 year user certificates
2) The MMC snap in lists the new template but it denies the request
3) the cert templates folder in the CA manager snap in lists User and the
properties show User as the template now the new Userv2.

Any further assistance would be appreciated
--
---
Mike Ruiz
Network and Enterprise Systems Engineer
Hobart and William Smith Colleges


"Brian Komar [MVP]" wrote:

> In article <B1F02275-610F-4BD3-9997-2E504109756F@microsoft.com>,
> MikeRuiz@discussions.microsoft.com says...
> >
> > Can I replace the v1 user template with a v2 template so that is editable?
> > Can I edit the v1 template somehow? The v1 templates are mostly greyed out
> > in CertTempl.msc
> >
> >
> You must duplicate the template, and then make modifications to the
> newly created version 2 certificate template. You can then set the new
> template to Supersede the previous template.
>
> For more information, see my whitepaper:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog
> ies/security/ws03crtm.mspx
>
> Brian
>
Top

Re: Changing Cert template in Win2k3 Enterprise PKI CA by Brian

Brian
Fri Sep 16 16:47:02 CDT 2005

It sounds like some steps were missed:

In article <0DEF2E3A-02CB-49A3-B58A-15C44E7AE3EC@microsoft.com>,
MikeRuiz@discussions.microsoft.com says...
> As an additional update,
> I tried the supersede template option and:
>
> 1) The web interface still issues 1 year user certificates

You want to remove the User certificate template at the CA so it is no
longer available for enrollment.

> 2) The MMC snap in lists the new template but it denies the request

What is the error message listed in the CA's event viewer. Denied the
request is not enough to go on <G>

> 3) the cert templates folder in the CA manager snap in lists User and the
> properties show User as the template now the new Userv2.

That is correct. You have to add the new certificate template as a new
template and remove the old User template. You cannot convert a v1
template into a v2 template. You can only copy a v1 (or v2) template,
creating a new v2 template.

>
> Any further assistance would be appreciated
>
I would highly recommend reading the previously referenced whitepaper

Top