Publishing Certificate Templates for Enrollment

Before enrolling a certificate manually, automatically, or through a scripting method, you must ensure that the certificate templates are available for enrollment at a CA. This process is known as "publishing the certificate template at the CA." The following procedure publishes a certificate template:

1. Log on at the CA computer as a user assigned the CA administrator role.

2. From Administrative Tools, open the Certification Authority console.

3. In the console tree, expand CAName (where CAName is the logical name of the CA) and click Certificate Templates.

4. In the console tree, right-click Certificate Templates, point to New and click Certificate Template to Issue.

5. In the Enable Certificate Templates dialog box, select one or more certificate templates not currently published at the CA and click OK.

Note Version 2 certificate templates are only available if the enterprise CA is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Data Center Edition. If the enterprise CA is running Windows Server 2003, Standard Edition, the Enable Certificate Templates dialog box only displays the available version 1 certificate templates.

Once you add the certificates, they are available for enrollment. The list of published certificate templates is defined on a CA-by-CA basis, allowing the availability of different certificate templates at each enterprise CA in the CA hierarchy.

If you want to remove a certificate template, select the certificate template or templates in the details pane and press Delete. After confirming the deletion, the certificate templates are no longer available for enrollment.

Scripting the Publishing of Certificate Templates

Alternatively, you can use the certutil command to add or remove certificate templates from a CA. For example, the following script sample removes the default certificate templates and publishes only the Basic Encrypting File System (EFS), CA Exchange, EFS Recovery Agent, and Key Recovery Agent certificate templates:

::Remove

the default templates for a W2K3 CA.

certutil

-SetCAtemplates

-Administrator

certutil

-SetCAtemplates

-DirectoryEmailReplication

certutil

-SetCAtemplates

-DomainControllerAuthentication

certutil

-SetCAtemplates

-EFSRecovery

certutil

-SetCAtemplates

-EFS

certutil

-SetCAtemplates

-DomainController

certutil

-SetCAtemplates

-WebServer

certutil

-SetCAtemplates

-Machine

certutil

-SetCAtemplates

-User

certutil

-SetCAtemplates

-SubCA

:Publish

the required certificate templates

certutil

-SetCAtemplates

+EFS

certutil

-setCAtemplates

+KeyRecoveryAgent

certutil

-setCAtemplates

+EFSRecovery

certutil

-setCAtemplates

+CAExchange

As shown here, the certutil -setCAtemplates command can either add templates (+Template name) or remove templates (-Template name). You can use this command in a batch file to define the exact set of certificate templates that must be published at a specific CA.

Was this article helpful?

0 -2

Responses

  • kevin
    How to delete default certificate templates?
    7 years ago
  • camryn
    How to publish ca templates?
    10 months ago
  • jukka-pekk
    How to publish IPSec Certificate Template?
    8 months ago
  • addolorata
    Where are certificate templates published to?
    10 days ago
  • brigitte
    How to publish certificte templates from DC to cert server?
    5 days ago

Post a comment