Controlling enrollment access to certificate templates
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Controlling enrollment access to certificate templates
Certificate templates are published on a server. Each contains an access control list (ACL) which defines what specific operations a subject can do with the certificate.
| Setting | Description |
|---|---|
Full Control |
The selected group or user can perform any action on this template. |
Read |
The selected group or user can read this template. |
Write |
The selected group or user can modify this template. |
Enroll |
The selected group or user can submit a certificate issuance or renewal request based on this template. |
Autoenroll |
The selected group or user can submit a certificate request based on this template by way of autoenrollment. This option will not work unless the Enroll option is also selected. |
The most common use of certificates is for subject enrollment with autoenrollment permitted. In this case, the subject must be granted Read, Enroll and Autoenroll permissions. If autoenrollment is not wanted but manual or Web-based enrollment is, granting the Read and Enroll permissions is appropriate. When subjects already hold a certificate, they only need Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not.
Write and Full Control permissions should be restricted to CA managers to ensure the templates are not improperly configured.