Partager via


Configure the User Certificate Template

 

Applies To: Windows Server 2012

You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for user certificates that are enrolled to domain users or members of other groups that you specify.

Note

If you want to enroll user certificates to members of groups other than the Domain Users group, remove the Domain Users group from the template's access control list (ACL) while performing this procedure, and then add the groups you prefer to the ACL. After you add new groups to the ACL, ensure that you allow Enroll and Autoenroll permissions.

Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.

To configure the certificate template and autoenrollment

  1. On CA1, in Server Manager, click Tools, and then click Certification Authority. The Certification Authority Microsoft Management Console (MMC) opens.

  2. In the MMC, double-click the CA name, right-click Certificate Templates, and then click Manage.

  3. The Certificate Templates console opens. All of the certificate templates are displayed in the details pane.

  4. In the details pane, click the User template.

  5. On the Action menu, click Duplicate Template. The Properties of New Template dialog box opens.

  6. In Properties of New Template, on the General tab, in Display Name, type a new name for the certificate template or keep the default name.

  7. Click the Security tab. In Group or user names, click Domain Users.

  8. In Permissions for Domain Users, under Allow, ensure that Enroll is selected, and then select the Read and Autoenroll check boxes.

  9. Click the Subject Name tab. Ensure that Build from this Active Directory information is selected. Also ensure that Subject name format has the value of Fully distinguished name. In Include this information in alternate subject name, ensure that User principal name (UPN) is selected.

    Important

    On the Subject Name tab, ensure that the following items are not selected: In Subject name format, ensure that Include e-mail name in subject name is not selected. In Include this information in alternate subject name, ensure that E-mail name is not selected.

  10. Click OK, and close the Certificate Templates MMC.

  11. In the Certification Authority MMC, click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. The Enable Certificate Templates dialog box opens.

  12. Click the name of the certificate template you just configured, and then click OK. For example, if you did not change the default certificate template name, click Copy of User, and then click OK.