Contents x
    Certificate Template Setup
    • 29 Jan 2025
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Contents

    Certificate Template Setup

    • Updated on 29 Jan 2025
    • 1 Minute to read
    • Contributors
    • Print
    • Dark
      Light
    Article summary

    Part 1 - Duplicate Smartcard Template

    1. On your Certificate Authority server, launch the Certificate Authority tool.
    2. Expand your server's name and right-click Certificate Templates > Manage.
      ca setup 1 - manage.png

    1. A new window, Certificates Templates Console, will open. Scroll down until you find the template name "Smartcard Logon".
      3a. Right-click the template > "Duplicate Template".
      ca setup 2 - dupe temp.png

    1. A new pop-up will appear; this is where the enrollment and logon settings will be edited.
      4a. Compatibility tab: Set the Compatibility Settings to the latest server option available for both Certification Authority and Recipient.
      sc dupe template 4.png

      A prompt will appear for each setting. Click 'OK' for both.
      sc dupe template 2.png


      4b. General tab: Edit the name of the template and check (✓) Publish certificate in Active Directory and its sub-box.
      sc dupe template 5 - general tab.png


      4c. Request Handling tab: Set Purpose to "Signature and smartcard logon".
      sc dupe template 6 - req handling.png


      4d. Security tab: "Add" your Service Account to the users and give it full control over the template.
      sc dupe template 6 - security.png


      4e. Issuance tab: Check (✓) This number of authorized signature and set equal to 1. For Application policy, drop down and select "Certificate Request Agent".
      sc dupe template 7 - issuance.png


      4f. Your setup is complete and can click "OK". Don't close out of the Certificates Templates Console yet for Part 2.

    Part 2 - Enrollment Agent Certificate

    1. In the Certificates Templates Console, scroll to and find the "Enrollment Agent" template.

    2. Right-click "Enrollment Agent" > Properties.

    3. Go to the Security tab.
      3a. Add your Service Account to the users and give it full control.
      enrollment agent 1 - security.png


      3b. Click "OK".


    4. Close out of the Certificates Templates Console.

    Part 3 - Issue The Certificates

    1. In your Certificate Authority, right-click Certificate Templates > New > Certificate Template to Issue.
      issue temps 1 - issue.png

    1. Select both the Enrollment Agent and ONE Smartcard templates by holding Ctrl and clicking each template. Click "OK".
      issue temps 2 - select.png

      The templates should appear in your list of templates.
      issue temps 2a - appear.png

    Part 4 - Server Properties

    1. In your Certificate Athourity, right-click your server name > Properties.
      acct permissions 1 - properties.png

    1. A new pop-up will appear.
      2a. Security tab:
      acct permissions 2 - check all.png


      2b. (Optional) Certificate Managers tab: Select Restrict certificate managers, highlight your Service Account, and click "Add" to choose your smartcard template.
      acct permissions 3 - cert mgrs.png

      You should see your certificate appear in the templates section.
      acct permissions 3a - cert mgrs.png

      2c. Click "OK" to close the Properties window.

    You've completed this portion of the setup and can move on to the IIS Configuration for PKI.

    Was this article helpful?
    What's Next