Methods for Updating a Certificate Template

In your CA hierarchy, you might have one certificate template for each job function, such as file encryption or code signing, or a few templates that cover functions for most common groups of subjects. You might have to modify an existing certificate template as a result of incorrect settings that were defined in the original certificate template, or you might want to merge multiple existing certificate templates into a single template.

There are two methods for modifying a version 2 certificate template. You either modify the original template, or you create a new one to replace it.

You can modify a version 2 certificate template at any time. After you make the changes, all new certificate enrollees will receive the new settings. To ensure that all clients that have previously been issued certificates based on the template before it was modified receive the new settings, re-issue the certificate by using the Certificates snap-in. This is an excellent way to make sweeping changes to certificates deployed to users and computers in your organization. For example, if you discovered that a certificate could be compromised in less than one year, you could modify the validity period of the certificate to six months and re-enroll all certificate holders.

The second method of modifying a certificate is known as superseding a certificate. This method is accomplished by creating a new version 2 certificate template and adding multiple application policies for those certificates that you want to supersede. For example, if multiple certificate templates provide the same or similar functionality, you can supersede the existing certificate templates with a single certificate template. You can accomplish this replacement by designating that a new certificate template supersedes, or replaces, the existing certificate templates. Select the certificates that are to be superseded in the Superseded Templates tab on the new certificate's properties.

When making your decision on whether to modify a certificate template, you should consider the consequences of the modification. For example, if a change is going to affect only a single certificate template, and if the change does not require certificates to be re-issued to all current certificate holders, you can simply modify an existing certificate template. Nice and easy!

Keep in mind that only version 2 certificate templates support modification. If the certificate template that you want to modify is a version 1 certificate template, you must supersede the existing certificate template with a version 2 certificate template.

If the changes you are going to make to the certificate template do not affect previously issued certificates, you do not need to re-issue the certificate to certificate holders. For example, changing the permissions for a certificate template to allow additional groups to enroll the certificate template would not require the re-issuance of all existing certificates.

Certificate management can be time-consuming, especially in an environment that issues a large number of certificates to users and computers. The load on the issuing CA increases, CRLs get bigger, and the end user certificate management can be harrowing. To ease this potential strain on your CAs and end users, consider consolidating multiple existing certificate templates into a single certificate template.

It is not possible to modify a version 1 certificate template, because they do not allow modification. However, by superseding the version 1 certificate template with a version 2 certificate template, you can effectively modify the settings of the template. For example, you could create a new version 2 template that performs the same functions as the original template but that has different settings for the certificate lifetime, key size, or application and issuance policies for a certificate.

In summary, you can update an existing certificate template in two ways. The first way is to modify a version 2 certificate template at any time by making changes to the certificate template. The second way is to supersede an existing certificate template. If the certificate template you want to update is version 1, or if you want to combine multiple certificate templates into a single template, you can supersede the existing certificate template or templates with a version 2 certificate template. After you make the changes, any certificate issued by a CA based on that certificate template will include the modifications you made in the certificate template.

You should modify a template when the changes are minor and affect only a single version 2 certificate template. You should supersede a template when you are consolidating multiple templates, when you are modifying a version 1 certificate template, or when you are changing the lifetime, key size, application policies, or issuance policies.

+2 0

Post a comment