Create and version a duplicate of a certificate template

Certificate templates versions

Create and version a duplicate of a template

Once we've made a duplicate of a template, we need to determine who can use the new template.

The compatibility settings do not prevent earlier versions of operating systems from using the Vorlage can use.

Versioning certificate templates

  • Schema version 1 came with Windows 2000
  • Schema version 2 came with Windows Server 2003 Enterprise
    • The auto enrollment was added
  • Schema version 3 came with Windows Server 2008 Enterprise
    • Version 3 also brought new cryptographic algorithms
    • Version 3 templates can no longer be provided via the web service (CertSrv)
  • The schema version 4 came from Windows Server 2012
    • Supports CSP (Crypto Service Provider) and KSP (Key Storage Provider)
    • A certificate can now be renewed with the same key

The schema version of a template determines the options available.

For example, if you duplicate a template of schema version 2 (Kerberos) and use the KSP, a template of schema version 3 is created.

For example, if you duplicate a template of schema version 1 (computer) and specify the compatibility on the certification authority on Windows Server 2012 and the certificate recipient on Windows 10, this results in schema version 4.

A Certificate template has several values ​​for versioning. The schema version and version number. The version number consists of a major version and a minor version. The minor version increases with every change to the template, but this has no immediate effect on the clients that have received their certificates using automatic registration. The major version increases as soon as all certificate holders become re-registration has prompted. A major version 100.6 becomes the major version 101.0. When the major version is increased, the minor version counter is reset to 0.

Schema version and version number

If we manually incremented the revision number it would automatically be a re-registration trigger.

Certificate template revision attributes

2 tasks (re-registration) to be triggered. The SystemTask and / or the UserTask, depending on the template on which the revision number was increased.

CertificateServicesClient Task

The command line provides us with further information about the templates including various attributes.

CertUtil -dsTemplate

Properties of an X.509 v3 certificate