Hey everyone! Now that I’ve installed the Enterprise Root CA, it’s time to move forward and start issuing certificates. But before any certificates can be requested or auto-enrolled, I need to configure and publish certificate templates.
In this blog, I’ll walk you through how I create, customize, and publish certificate templates for users, computers, and services like web servers.
🎯 What Are Certificate Templates?
Certificate templates define the rules and settings for certificates—things like:
- What they’re used for (e.g., client auth, server auth)
- How long they’re valid
- Who can request them
- Whether they’re auto-enrolled
Windows comes with several built-in templates, but I usually create custom duplicates to better suit my environment.
🛠️ Step 1: Open the Certificate Templates Console
On my CA server:
- Open Server Manager
- Go to Tools → Certificate Templates
- This opens the Certificate Templates Console
Here I can view all the default templates provided by Microsoft.
🔄 Step 2: Duplicate a Template
Instead of modifying a default template (which I don’t recommend), I duplicate it:
Let’s say I want to create a computer certificate template for domain-joined devices.
- Right-click Computer → Duplicate Template
- Choose:
- If your domain controllers are Windows Server 2016+, select Windows Server 2016 or later
- In the Properties window, I modify:
➕ General Tab
- Template display name:
MAHARJAN Computer Certificate - Validity period: E.g., 2 years
- Renewal period: E.g., 6 weeks
👤 Request Handling Tab
- Purpose: Signature and encryption
- Allow private key to be exported (optional)
🔐 Security Tab
- Add
Domain Computersgroup - Grant Read, Enroll, and Autoenroll permissions
💳 Subject Name Tab
- Select Build from this Active Directory information
- Check DNS name and User principal name (UPN) as needed
Click OK to save the template.
📤 Step 3: Publish the Template to the CA
Now I need to make this template available for use.
- Open the Certification Authority console (
certsrv.msc) - Right-click Certificate Templates → New → Certificate Template to Issue
- Select
MAHARJAN Computer Certificate(or whatever name I used)
✅ It’s now published to the CA!
🧪 Step 4: Test Manual Enrollment (Optional)
From a domain-joined client:
- Open
certmgr.msc - Go to Personal → Certificates
- Right-click → All Tasks → Request New Certificate
- Select the new
MAHARJAN Computer Certificatetemplate
If everything is working, I should be able to request and receive a certificate.
💡 Common Templates I Use
Here are a few templates I usually create in real-world environments:
| Template | Based On | Use Case |
|---|---|---|
MAHARJAN User Certificate | User | Smart card logon, S/MIME |
MAHARJANComputer Certificate | Computer | Computer auth, RADIUS |
MAHARJAN Web Server SSL | Web Server | IIS/Exchange SSL |
MAHARJAN RDP TLS | Computer | Securing Remote Desktop |
🧭 What’s Next?
In the next blog, I’ll show how to configure auto-enrollment so certificates can be issued automatically to all domain-joined users and computers—no manual requests needed.