Certificate Template Setup

  • Updated on Jan 29, 2025
  • Published on Jan 29, 2025
  • 1 minute(s) read
  • Austin Rominger
 Prev Next

Part 1 - Duplicate Smartcard Template

  1. On your Certificate Authority server, launch the Certificate Authority tool.
  2. Expand your server's name and right-click Certificate Templates > Manage.
    ca setup 1 - manage.png

  1. A new window, Certificates Templates Console, will open. Scroll down until you find the template name "Smartcard Logon".
    3a. Right-click the template > "Duplicate Template".
    ca setup 2 - dupe temp.png

  1. A new pop-up will appear; this is where the enrollment and logon settings will be edited.
    4a. Compatibility tab: Set the Compatibility Settings to the latest server option available for both Certification Authority and Recipient.
    sc dupe template 4.png

    A prompt will appear for each setting. Click 'OK' for both.
    sc dupe template 2.png


    4b. General tab: Edit the name of the template and check (✓) Publish certificate in Active Directory and its sub-box.
    sc dupe template 5 - general tab.png


    4c. Request Handling tab: Set Purpose to "Signature and smartcard logon".
    sc dupe template 6 - req handling.png


    4d. Security tab: "Add" your Service Account to the users and give it full control over the template.
    sc dupe template 6 - security.png


    4e. Issuance tab: Check (✓) This number of authorized signature and set equal to 1. For Application policy, drop down and select "Certificate Request Agent".
    sc dupe template 7 - issuance.png


    4f. Your setup is complete and can click "OK". Don't close out of the Certificates Templates Console yet for Part 2.

Part 2 - Enrollment Agent Certificate

  1. In the Certificates Templates Console, scroll to and find the "Enrollment Agent" template.

  2. Right-click "Enrollment Agent" > Properties.

  3. Go to the Security tab.
    3a. Add your Service Account to the users and give it full control.
    enrollment agent 1 - security.png


    3b. Click "OK".


  4. Close out of the Certificates Templates Console.

Part 3 - Issue The Certificates

  1. In your Certificate Authority, right-click Certificate Templates > New > Certificate Template to Issue.
    issue temps 1 - issue.png

  1. Select both the Enrollment Agent and ONE Smartcard templates by holding Ctrl and clicking each template. Click "OK".
    issue temps 2 - select.png

    The templates should appear in your list of templates.
    issue temps 2a - appear.png

Part 4 - Server Properties

  1. In your Certificate Athourity, right-click your server name > Properties.
    acct permissions 1 - properties.png

  1. A new pop-up will appear.
    2a. Security tab:
    acct permissions 2 - check all.png


    2b. (Optional) Certificate Managers tab: Select Restrict certificate managers, highlight your Service Account, and click "Add" to choose your smartcard template.
    acct permissions 3 - cert mgrs.png

    You should see your certificate appear in the templates section.
    acct permissions 3a - cert mgrs.png

    2c. Click "OK" to close the Properties window.

You've completed this portion of the setup and can move on to the IIS Configuration for PKI.