A certification authority (CA) processes each certificate request by using a defined set of rules. The CA may issue some certificates with no proof of identification and require proof of identification before other types of certificates are issued. This provides different levels of assurance for different certificates. These levels of assurance are represented in certificates as issuance policies.

An issuance policy (also known as an enrollment or certificate policy) is a group of administrative rules that are implemented when issuing certificates. They are represented in a certificate by an object identifier (also known as an OID) that is defined at the CA. This object identifier is included in the issued certificate. When a subject presents its certificate, it can be examined by the target to verify the issuance policy, and determine if that level of issuance policy is sufficient to perform the requested action.

Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 include four predefined issuance policies:

  • All Issuance (2.5.29.32.0). The all issuance policy indicates that the issuance policy contains all other issuance policies. Typically, this object identifier is only assigned to CA certificates.

  • Low Assurance (1.3.6.1.4.1.311.21.8.x.y.z.1.400). The low assurance object identifier is used to represent certificates that are issued with no additional security requirements.

    Note

    The x.y.z portion of the object identifier is a randomly generated numeric sequence that is unique for each Active Directory forest.

  • Medium Assurance (1.3.6.1.4.1.311.21.8.x.y.z.1.401). The medium assurance object identifier is used to represent certificates that have additional security requirements for issuance. For example, a smart card certificate that is issued in a face-to-face meeting with a smart card issuer might be considered a medium assurance certificate and contain the medium assurance object identifier.

  • High Assurance (1.3.6.1.4.1.311.21.8.x.y.z.1.402). The high assurance object identifier is used to represent certificates that are issued with the highest security. For example, the issuance of a key recovery agent certificate might require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from an enterprise CA.

In addition, you can create your own object identifiers to represent custom issuance policies.

When subjects submit certificate requests to a CA, the request can either be automatically approved or placed into a "pending" state. A pending state is normally used for certificates that require a higher level of assurance and consequently require more administration and further verification of the request. There are a number of settings that can configure the authentication and signature requirements for issuance certificates that are based on a template.

Setting Description

CA certificate manager approval

All certificates are placed into the pending container for a certificate manager to issue or deny.

This number of authorized signatures

This setting requires the certificate request to be digitally signed by one or more subjects before it can be issued. This enables several other configuration parameters.

Policy type required in signature

The signatures that are required for issuing a certificate must contain either a specific application policy, issuance policy, or both. This is how the CA determines whether the signature is appropriate for authorizing the issuance of the subject's certificate. This option is enabled when This number of authorized signatures is set.

Application policy

Specifies the application policy to verify when signing a certificate request. This option is enabled when Policy type required in signature is set to either Application policy or Both application and issuance policy.

Issuance policy

Specifies the issuance policies to verify when signing a certificate request. This option is enabled when Policy type required in signature is set to either Issuance policy or Both application and issuance policy.

The ability to modify or create new application policies is available only with version 2 and version 3 certificate templates. For more information, see Default Certificate Templates.

Clients must be re-enrolled to receive a certificate based on a modified template if they already have a valid certificate based on the previous template. For more information about re-enrolling clients, see Re-Enroll All Certificate Holders.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To modify an issuance policy
  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. Click the Issuance Requirements tab.

  4. Provide the requested information.