Configuring a certification authority to support certificate template options
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Configuring a certification authority to support certificate template options
Certificate templates are useful configuration elements of a Windows Server 2003, Enterprise Edition, certification authority (CA). Many of the benefits of editable templates work in conjunction with a properly configured certification authority. Although the default configuration of a certification authority will support most of the functions available, there may be deployment considerations which require reconfiguration of the certification authority.
Key archival and recovery
When you want key archival and recovery on a certification authority, three complimentary configuration settings must be made.
The certificate template must be configured to allow key archival. For more information, see Configure a certificate template for key archival and recovery.
One or more key recovery agents must be identified on the certification authority and key recovery agent certificates must be issued to those agents. For more information, see Certificate Services example implementation: Key archival and recovery and Identify a key recovery agent.
Key archival must be configured on the certification authority. For more information, see Enable key archival.
Cryptographic service provider
When a cryptographic service provider (CSP) is selected for a certificate template, the selected CSP must be installed on the client computer (or device, if not a computer) as well as the computer configuring the certificate template. If the CSP is not installed, it will not be available for subject requests. This will render the certificate template useless until the configuration is corrected. The CSP must also be installed on the computer where the certificate template is edited.
When selecting CSPs for a certificate template, the intended use of the certificate must also be considered. The intended functionality of the certificate must be provided by the CSP for the template to be useful. For example, if a template was created for clients to use with Encrypting File System (EFS) and the CSP selected is Microsoft Base DSS and Diffie-Hellman Cryptographic Provider, which does not provide encryption functionality, the issued certificates will not be able to perform that function.