How To Change Schema Version Of Cert Template

Applies to Windows Server 2012

Duplicating Certificate Templates
Certificate Template Schema Versions
Version 4 Certificate Templates
- Renew with the same central
- Support for CSPs, KSPs, and provider ordering
- Allow cardinal-based renewal
- Enable requestor specified issuance policies

Windows Server 2012 introduces changes to the certificate template versions and certificate template properties options.

The process for duplicating certificate templates has changed
There is a new type of document template version (version 4) that has multiple new options

These changes are discussed in this article in the following sections.

render to acme

Duplicating Certificate Templates

When duplicating a certificate template in Windows Server 2012, yous do not select a template version as described in Create a New Certificate Template. Instead, a Compatibility tab is displayed when a certificate template is duplicated.

The Compatibility tab helps to configure the options that are bachelor in the certificate template. The options available in the document template properties change depending upon the operating system versions that are selected for the certification authorization (CA) and certificate recipient. For example, if the configured CA is Windows Server 2008 R2 and the configured certificate recipient is Windows 7 / Server 2008 R2, the pick to Renew with the same central would exist unavailable.

Alarm
Once you lot click OK or Apply, you are saving the template and its version. The template version (schema) cannot be modified after that.

The Show resulting changes checkbox allows you to command whether the Resulting changes dialog box is displayed. The Resulting changes dialog box shows what options are removed or added based on a change to the certification authorization or document recipient operating system version.

The Compatibility tab does not have a restrictive outcome on version i, version ii, or version three templates, as indicated by the statement: These settings may not prevent before operating systems from using this template. However, the Compatibility tab provides a method for administrators to configure an operating system combination and and then see which options are available for that combination. For version 4 templates, the Compatibility tab indicates the operating organization version combinations that will participate in document enrollment and issuance. Starting in Windows 8 and Windows Server 2012, certificate clients will respect the operating arrangement versions that are configured in the Compatibility tab.

Caution
When you configure the CA version to Windows Server 2012, y'all may not see the option to select certificates in Windows 7 or Windows Server 2008 over Document Enrollment Spider web Services. To resolve this issue, y'all can set the template to show a Windows Server 2008 R2 CA, fifty-fifty if information technology is really a Windows Server 2012 CA. For more data, see Certificate Templates Not Available for Windows 7 and Windows Server 2008 R2 Certificate Recipients using Certificate Enrollment Web Services.

Caution

When you configure the CA version to Windows Server 2012, y'all may not see the option to select certificates in Windows 7 or Windows Server 2008 over Document Enrollment Spider web Services. To resolve this issue, y'all can set the template to show a Windows Server 2008 R2 CA, fifty-fifty if information technology is really a Windows Server 2012 CA. For more data, see Certificate Templates Not Available for Windows 7 and Windows Server 2008 R2 Certificate Recipients using Certificate Enrollment Web Services.

return to top

Certificate Template Schema Versions

The settings that you configure on the Compatibility tab and in the document template properties determine the certificate template schema version that is created when the template is saved. The logic for determining the certificate template schema version that is created is as follows:

If the CA operating system is Windows Server 2012 and the certificate recipient operating organization is Windows 8, then a version 4 certificate template schema version is created.
If the CA operating organisation is before than Windows Server 2012 or the certificate recipient is earlier than Windows 8, then a certificate template schema version four template is not created. The type of template created depends upon the cryptographic provider that is selected:
- If a cryptographic service provider (CSP) is selected, then a document template schema version two is created
- If a key storage provider (KSP) is selected, then a certificate template schema version three is created.

Notes

For information nigh Version 1, two, and three document templates, see Certificate Template Versions.
For information about certificate template properties options present in previous operating system versions, meet the following resources:

o   Windows Server 2008 R2: Configuring a Certificate Template
o   Windows Server 2008: Administering Certificate Templates
o   Windows Server 2003: Certificate Template Overview

render to top

Version four Certificate Templates

The new features that version four certificate templates include are:

Renew with the same central
Back up for both CSP and KSP likewise every bit the power to organize providers in gild of preference
Permit fundamental-based renewal
Enable requestor specified issuance

Renew with the same key

Windows Server 2012 introduces the choice to Renew with the same central on the Request Handling tab of the certificate template properties.

When Renew with the aforementioned primal is selected, renewing with the aforementioned cardinal is enforced. Renewal with the aforementioned key allows the same assurance level of the original key to be maintained throughout its lifecycle.

Windows Server 2012 supports generating Trusted Platform Module (TPM)-protected keys using TPM-based key storage providers (KSPs). The do good of using TPM-based KSP is true not-exportability of keys backed upwardly by the anti-hammering mechanism of TPMs. Administrators can configure document templates so that Windows 8 and Windows Server 2012 to requite college priority to TPM-based KSPs for generating keys (as described in the Support for CSPs, KSPs, and provider ordering section). Besides, using renewal with the same key, administrators can remain assured that the key nonetheless remains on TPM after renewal.

Notes:

Entering the personal identification number (PIN) incorrectly too many times activates the anti-hammering logic of the TPM. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a beast force attack on a Pin past not accepting Pivot entries until after a certain amount of time has passed.
If you are working on a CA that does non have a TPM, but you demand to enable the "Microsoft Platform Crypto Provider" to support TPMs in document client operating systems, come across Creating a certificate template that includes the Microsoft Platform Crypto Provider on a CA with no TPM.

Clients that receive certificates from templates that are configured with Renew with the same primal must renew their certificates using the same key, or the renewal request volition fail. The option to Renew with the same central is bachelor only for Windows 8 and Windows Server 2012 document clients.

Important: If Renew with the same key is enabled on a document template and later on key archival (Annal subject'due south encryption private key) is implemented, renewed certificates may not be archived. To learn more most this situation and how to mitigate it, come across Key Archival and renew with the same cardinal.

The other Request Handling tab options were present in previous operating systems. To acquire more about these options, encounter Request Handling.

render to height

Support for CSPs, KSPs, and provider ordering

Windows Server 2012 introduces the option to order the cryptographic service providers (CSPs) or key storage providers (KSPs) on the Cryptography tab. The document administrator tin select betwixt CSPs and KSPs on the interface. When Requests must use one of the following providers is selected, the dissimilar providers tin be selected and ordered. The certificate template administrator tin select the providers to make bachelor to the certificate clients and utilise the up and downward arrow buttons to organize those providers in gild of preference. The selected providers that are higher in the listing will be picked first by clients when generating public/individual primal pairs (bold the providers are enabled on the list).

Annotation: In previous operating system versions the configuration of CSPs and KSPs were on unlike tabs in the certificate properties. For version 2 certificate templates, CSPs were configured on the Asking Handling tab. For version 3 certificate templates, KSPs were configured on the Cryptography tab. Starting in Windows Server 2012, the configuration of the providers is consolidated on the Cryptography tab. To learn more about the cryptographic provider options present in previous operating systems, see Cryptography and Request Handling.

Allow fundamental-based renewal

Key-based renewal mode is a characteristic introduced in Windows Server 2012 that allows an existing valid certificate to be used to cosign its own renewal asking. This enables computers that are not connected directly to the internal network the power to automatically renew an existing certificate. To take advantage of this characteristic, the certificate client computers must exist running at least Windows 8 or Windows Server 2012.

To acquire more about primal-based renewal run across the post-obit resources:

Key-based renewal
Test Lab Guide: Demonstrating Certificate Key-Based Renewal

return to top

Enable requestor specified issuance policies

A Windows Server 2012 certification authority allows a certificate request to include specific issuance policy object identifiers. The CA will evaluate requested issuance policies within the certificate request. In previous versions of the operating system, the CA would ignore issuance policies, if they were supplied in a certificate asking. The CA would instead issue all of the issuance policies that were configured in the document template.

To employ this characteristic, Issuance Policies must be defined on the certificate template. This can be done past editing the Issuance Policies in the Extensions tab.

On the Edit Issuance Policies Extension dialog box is the Enable requestor specified issuance policies checkbox.

By selecting Enable requestor specified issuance policies, the administrator is allowing the document client to specify ane or more of the available issuance policies within a certificate request. The certificate client can asking one or more of the bachelor issuance policies configured in the template. However, if the certificate client requests an issuance policy that is not listed in the template, the request will be rejected. For successful requests, the issuance policies that were selected by the client are added to the Certificate Policies that are nowadays in the issued document.

The other Extensions tab options were present in previous operating systems. To acquire more well-nigh these options, see Certificate Template Extensions.

return to meridian