A number of preconfigured certificate templates that are designed to meet the needs of most organizations are included with Windows Server 2008–based enterprise certification authorities (CAs). These templates are described in the following table.
| Name | Description | Key usage | Subject type | Published to Active Directory Domain Services (AD DS)? | Template version |
|---|---|---|---|---|---|
|
Administrator |
Allows trust list signing and user authentication. |
Signature and encryption |
User |
Yes |
1 |
|
Authenticated Session |
Allows the subject to authenticate to a Web server. |
Signature |
User |
No |
1 |
|
Basic EFS |
Used by Encrypting File System (EFS) to encrypt data. |
Encryption |
User |
Yes |
1 |
|
CA Exchange |
Used to store keys that are configured for private key archival. |
Encryption |
Computer |
No |
2 |
|
CEP Encryption |
Allows the certificate holder to act as a registration authority for Simple Certificate Enrollment Protocol (SCEP) requests. |
Encryption |
Computer |
No |
1 |
|
Code Signing |
Used to digitally sign software. |
Signature |
User |
No |
1 |
|
Computer |
Allows a computer to authenticate itself on the network. |
Signature and encryption |
Computer |
No |
1 |
|
Cross-Certification Authority |
Used for cross-certification and qualified subordination. |
Signature |
Cross-certified CA |
Yes |
2 |
|
Directory E-mail Replication |
Used to replicate e-mail within AD DS. |
Signature and encryption |
Computer |
Yes |
2 |
|
Domain Controller |
Used by domain controllers as all-purpose certificates. |
Signature and encryption |
Computer |
Yes |
1 |
|
Domain Controller Authentication |
Used to authenticate Active Directory computers and users. |
Signature and encryption |
Computer |
No |
2 |
|
EFS Recovery Agent |
Allows the subject to decrypt files that were previously encrypted with EFS. |
Encryption |
User |
No |
1 |
|
Enrollment Agent |
Used to request certificates on behalf of another subject. |
Signature |
User |
No |
1 |
|
Enrollment Agent (Computer) |
Used to request certificates on behalf of another computer subject. |
Signature |
Computer |
No |
1 |
|
Exchange Enrollment Agent (Offline request) |
Used to request certificates on behalf of another subject and supply the subject name in the request. |
Signature |
User |
No |
1 |
|
Exchange Signature Only |
Used by the Microsoft Exchange Key Management Service to issue certificates to Exchange users for digitally signing e-mail. |
Signature |
User |
No |
1 |
|
Exchange User |
Used by the Microsoft Exchange Key Management Service to issue certificates to Exchange users for encrypting e-mail. |
Encryption |
User |
Yes |
1 |
|
IPSEC |
Used by Internet Protocol security (IPsec) to digitally sign, encrypt, and decrypt network communication. |
Signature and encryption |
Computer |
No |
1 |
|
IPSEC (Offline request) |
Used by IPsec to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request. |
Signature and encryption |
Computer |
No |
1 |
|
Kerberos Authentication |
Used to authenticate Active Directory computers and users. |
Signature and encryption |
Computer |
No |
2 |
|
Key Recovery Agent |
Recovers private keys that are archived on the CA. |
Encryption |
Key recovery agent |
No |
2 |
|
OCSP Response Signing |
Used by an Online Responder to sign responses to certificate status requests. |
Signature |
Computer |
No |
3 |
|
RAS and IAS Server |
Enables remote access servers and Internet Authentication Service (IAS) servers to authenticate their identity to other computers. |
Signature and encryption |
Computer |
No |
2 |
|
Root Certification Authority |
Used to prove the identity of the root CA. |
Signature |
CA |
No |
1 |
|
Router (Offline request) |
Used by a router when requested through a SCEP request from a CA that holds a CEP Encryption certificate. |
Signature and encryption |
Computer |
No |
1 |
|
Smartcard Logon |
Allows the holder to authenticate by using a smart card. |
Signature and encryption |
User |
No |
1 |
|
Smartcard User |
Allows the holder to authenticate and protect e-mail by using a smart card. |
Signature and encryption |
User |
Yes |
1 |
|
Subordinate Certification Authority |
Used to prove the identity of the root CA. It is issued by the parent or root CA. |
Signature |
CA |
No |
1 |
|
Trust List Signing |
Allows the holder to digitally sign a trust list. |
Signature |
User |
No |
1 |
|
User |
Used by users for e-mail, EFS, and client authentication. |
Signature and encryption |
User |
Yes |
1 |
|
User Signature Only |
Allows users to digitally sign data. |
Signature |
User |
No |
1 |
|
Web Server |
Proves the identity of a Web server. |
Signature and encryption |
Computer |
No |
1 |
|
Workstation Authentication |
Enables client computers to authenticate their identity to servers. |
Signature and encryption |
Computer |
No |
2 |
When you duplicate a version 1 or version 2 certificate template, you can make the duplicate a version 2 or version 3 template in order to configure the advanced options available with the later versions. However, version 3 certificate templates can only be issued by Windows Server 2008–based enterprise CAs and used by clients on computers running Windows Server 2008 or Windows Vista. For more information, see Certificate Template Versions.
For information about configuration options for certificate templates, see Configuring a Certificate Template.