Background
Active Directory Certificate Services can be used to generate a number of certificates with different purposes. Active Directory Certificate Services gives four options for installation: Standalone CA or Enterprise CA and Root or Subordinate. Enterprise CAs are only possible within an Active Directory Domain Services infrastructure. A full discussion of an enterprise PKI infrastructure is not given here, but can be found in any of the books on PKI or on Microsoft Technet.These CAs allow multiple types of certificates to be automatically issued through a process known as autoenrollment. Users can also submit requests through a web enrollment interface or send a request to a CA administrator. Autoenrollment requires the creation and maintenance of one or more certificate templates that the issuing CAs (typically subordinate CAs) issue based on the requests that they receive. Many templates come with ADCS and correspond to different purposes, such as securing connections between clients and servers (ex. IPSec and SSL), authenticating individuals and computers (ex. smart card certificates and client certificates), and encrypting data (ex. Encrypting File System certificates).
Standalone CAs can issue the same types of certificates that enterprise certification authorities can, but they do so without the use of autoenrollment and certificate templates. Users can send requests to a CA administrator or submit the request through web enrollment. All of the information used to specify the certificate's purpose is included in the request. Searching a couple of search engines like Google and Bing, it becomes apparent that if an organization lacks an enterprise CA, then they may not have a handy resource to determine which extensions are required if they need to create a custom request manually on a system. This post will provide the extensions that are required for various certificate templates installed with ADCS.
The following is a list of most of the certificate templates installed with a Windows Server 2008 R2 Enterprise Edition Enterprise Certification Authority and their extensions.
| Name Template Name Subject Type Purpose (if applicable) | Basic Constraints | Key Usage | Enhanced Key Usage |
|---|---|---|---|
| Administrator Administrator User Signature and Encryption | The subject is an end-entity. | Signature Requirements: Digital Signature Allow key exchange only with key encryption. Critical Extension. | Microsoft Trust List Signing Encrypting File System Secure Email Client Authentication |
| Authenticated Session ClientAuth User Signature | The subject is an end-entity. | Digital signature Critical extension | Client Authentication |
| Basic EFS EFS User Encryption | The subject is an end-entity. | Allow key exchange only with key encryption Critical extension. | Encrypting File System |
| CEP Encryption CEPEncryption Computer Encryption | The subject is an end-entity. | Allow key exchange only with key encryption Critical extension. | Certificate Request Agent |
| Code Signing CodeSigning User Signature | The subject is an end-entity. | Digital signature Critical extension | Code Signing |
| Computer Machine Computer Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension | Client Authentication Server Authentication |
| Domain Controller DomainController Directory e-mail replication Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension | Client Authentication Server Authentication |
| EFS Recovery Agent EFSRecovery User Encryption | The subject is an end-entity. | Allow key exchange only with key encryption Critical extension. | File Recovery |
| Enrollment Agent EnrollmentAgent User Signature | The subject is an end-entity. | Digital signature Critical extension. | Certificate Request Agent |
| Enrollment Agent (Computer) MachineEnrollmentAgent Computer Signature | The subject is an end-entity. | Digital signature Critical extension. | Certificate Request Agent |
| Exchange Enrollment Agent (Offline Request) EnrollmentAgentOffline User Signature | The subject is an end-entity. | Digital signature Critical extension. | Certificate Request Agent |
| Exchange Signature Only ExchangeUserSignature User Signature | The subject is an end-entity | Digital signature Critical extension. | Secure Email |
| Exchange User ExchangeUser User Encryption | The subject is an end-entity. | Allow key exchange only with key encryption Critical extension. | Secure Email |
| IPSec IPSECIntermediateOnline Computer Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension. | IP security IKE intermediate |
| IPSec (Offline Request) IPSECIntermediateOffline Computer Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension. | IP security IKE intermediate |
| Root Certification Authority CA Certification authority (CA) | The subject is a certification authority (CA). Critical extension. | Digital signature Certificate signing CRL signing Critical extension. | None |
| Router (Offline request) OfflineRouter Computer Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension. | Client Authentication |
| Smartcard Logon SmartcardLogon User Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension. | Client Authentication Smart Card Logon |
| Smartcard User SmartcardUser User Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension. | Secure Email Client Authentication Smart Card Logon |
| Subordinate Certification Authority SubCA Certification authority (CA) | The subject is a certification authority (CA). Critical extension. | Digital signature Certificate signing CRL signing Critical extension. | None |
| Trust List Signing CTLSigning User Signature | The subject is an end-entity. | Digital signature Critical extension. | Microsoft Trust List Signing |
| User User User Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension. | Encrypting File System Secure Email Client Authentication |
| User Signature Only UserSignature User Signature | The subject is an end-entity. | Digital signature Critical extension. | Secure Email Client Authentication |
| Web Server WebServer Computer Signature and Encryption | The subject is an end-entity. | Digital signature Allow key exchange only with key encryption Critical extension. | Server Authentication |
- CA Exchange
- Cross Certification Authority
- Directory Email Replication
- Domain Controller Authentication
- Kerberos Authentication
- Key Recovery Agent
- OCSP Response Signing
- RAS and IAS Server
- Workstation Authentication
Great Info !
ReplyDeleteThanks for sharing such a detailed and informative blog on digital certificate.Also its good to keep categorization as you mentioned above i.e. four options for installation: Standalone CA or Enterprise CA and Root or Subordinate if it serve different purpose
ReplyDelete