AD Troubleshooting

AD and Domain-related issues and troubleshooting methods for Active Directory.

Using a custom template for Subordinate CA's

Using a custom template for Subordinate CA's

  • Comments 3
  • Likes

Problem: You have an Enterprise Root CA installed and want your SubCA to have a lifetime of 10 years but the default SubCA template is only valid for 5 years. 


Solution: When a SubCA is installed, it will attempt to read the CertificateTemplate section of the capolicy.inf file in %systemroot% (i.e. C:\windows usually) under the [RequestAttributes] section.  If there's no entry in the capolicy.inf file, the system defaults to requesting the SubCA template for both fresh installs and renewals of the SubCA certificate.

 

I.e. the capolicy.inf should also contain the following

 [RequestAttributes]
CertificateTemplate = <your custom SubCA template>

  

Note that this is in addition to any other parameters that you want to configure for the SubCA.


If you copy the existing SubCA template to a custom template, make sure the Administrator performing the enrollment has enroll permissions on it and then put the template name into the capolicy.inf file on the SubCA... your SubCA should request a SubCA certificate from the custom template.

 

The actual validity period is determined by three things:

- The maximum lifetime of the template
- The expiration period of the issuing CA
- Registry settings on the issuing CA (the Root CA issues the SubCA certificate)


The smallest of the three values is the actual value used, a CA will for example not issue a certificate beyond the validity period of its own CA certificate even if the template being used would make it possible.

Note that the template information only comes into play if the CA doing the issuing is an Enterprise Root or Enterprise SubCA.
If you're submitting the request to a standalone Microsoft Root CA it will accept the template name and stamp it on the issued certificate but the duration of it will only be based on its registry settings and the lifetime of its own CA certificate (whichever is shorter).



How to Set an Enterprise Subordinate CA to Have a Different Certificate Validity Period than the Parent CA
http://support.microsoft.com/kb/281557

Walkthrough (Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003)
http://technet.microsoft.com/en-us/library/cc787276.aspx

Appendix B – CAPolicy.inf
http://technet.microsoft.com/en-us/library/cc775815.aspx

CAPolicy.inf Syntax
http://technet.microsoft.com/en-us/library/cc728279.aspx

Windows Server 2008 R2 CAPolicy.inf Syntax
http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx

Comments
  • Hi,

    I know this post may not be monitored for comments anymore, but I'll give it a try: is there any technet page or article, where I can see all the settings of the default templates (for example by default what is the max. allowed validity length, does the template allow exporting the private key, etc.)? Does such an inventory list exist, or I have to check this in a lab environment every time I am asked to provide the default settings for one of these templates?

  • Interesting thought - don't think it exists today but I'll forward this to the doc team so they can put this on their TODO list.

  • If you run certutil -v -template from a Windows 2008 R2 machine in a vanilla test domain then you will get a nicely formatted list of all the templates and their settings which you can then reuse ad infinitum.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment