This video discusses the customization and manageability limitations of the templates built in to AD CS and when you should try to create your own custom templates.
- [Instructor] Once you have a certificate authority installed, it's time to return to your original plan and consider what types of certificates you plan to issue. You might choose to issue certificates to internal web servers, possibly to your domain workstations or to mobile devices in your environment, or you may choose to issue certificates to your domain users. Active Directory Certificate Services on Windows servers, ships with built-in templates for all of these purposes. Let's take a look at them. But before we do, here's a quick refresher of the machines that we have in our environment. We have a domain controller that is running the landonhotel.com domain. We have a member server in that domain that's been installed with Certificate Services and configured to be a root authority. And we have another member server configured as a subordinate certificate authority. This is the one that will actually issue certificates, so this is where we want to look next. To see the certificate templates that are already installed, you'll open from the Tools menu the Certification Authority tool. Here you'll see this server. If it happens to be stopped, and that would be indicated by a black square instead of a green circle with a check mark, you could click on the server and click the start button up above. It may take a little while after the server has booted up, however, for this to happen. So if you get an error saying that it couldn't contact the certificate revocation list, you possibly need to just give it some time. But it looks like our server is up and running, so let me expand out this tree, and I'm going to right-click on Certificate Templates and choose Manage. Here we see a list of all of the certificate templates available for use on this machine currently. Here's a certificate template designed for issuing certificates to computers. Let's go ahead and double-click on it. The first thing you should notice is how much is grayed out, there's not even a lot of tabs up top, so there aren't very many settings to show to us, but the fact that we can't change any might defeat our purposes in creating custom certificates. We can't rename the template, that shouldn't be a big deal, but we also can't change the validity period. We can't change how long this certificate will be valid. We can't even choose to publish the certificate in Active Directory. Well, that seems contrary to our original plan. We installed an Enterprise certificate authority so that we could integrate with Active Directory. Looking at other tabs, for example, the Subject Name tab, we can see that the subject name will be built from Active Directory, but we don't know how. There's no information telling us what's used to build that subject name, or to choose other components to get there. We do have a Security tab, so we can choose which users, which groups, or other objects are able to enroll in this certificate, but there's really not a lot of wiggle room on what our certificates are going to look like. If you chose to create your own certificate authority because you want to define trust within your organization, the answer of whether to use built-in templates or create custom ones of your own, is easy, you're going to make your own. So, with that in mind, let me go ahead and close out of this properties dialog. With the exception of Domain Controller and Domain Controller Authentication, and maybe some other key certificate templates, you're going to want to create your own custom templates. Now, the ones you're given are great starting points. If I was to select the Computer certificate template one more time, I could right-click on it and select Duplicate Template to start creating my own certificate template for Computer certificates, one that has exactly the settings that I want.
- Identifying trusted certificate authorities
- Breaking down the anatomy of a certificate
- Installing and configuring AD CS
- Backing up and recovering AD CS
- Creating and publishing certificate templates
- Enforcing certificate enrollment with AD Group Policy
- Creating an enrollment agent
- Configuring web-based certificate enrollment
- Revoking certificates