This recipe is the first hurdle that many new certificate admins bump into. You may have a CA server up and running, but what's next? Before you can start granting certificates to computers and users, you need to establish certificate templates that you are going to publish. You will configure these templates with particular settings, and when a certificate is requested against the template, that new certificate will be built based on the information in the template combined with the information provided by the certificate requestor.
There are some built-in certificate templates that preinstall when you add the CA role to your server. Some companies utilize these built-in templates for issuing certificates, but it is a better practice to create your own templates. There is no need to start from scratch, though. You can take one of the built-in templates, find one that comes close to meeting your needs, and tweak it to do your bidding with your particular certificate needs. This is the process we are going to be taking. We need to issue machine certificates to each of our systems in the network to authenticate some IPsec tunnels. There are a few criteria we need to meet in these certificates, and the built-in Computer template comes close to checking all the options that we need. So we will take that template, copy it, and modify it to meet our requirements.
This is a Server 2016 domain environment with a new CA server running. We will utilize the CA console on our CA server to accomplish this work today. The new template that we create will be automatically replicated with other CA servers in the domain.
The following steps will help you build a new certificate template:
2
years.
IPsec Certificate
(or whatever name you gave to yours).When installing any new technology that requires certificates to be issued, your first stop should be the certificate templates on your CA server. You need to make sure that you have a template configured with the appropriate settings and switches that you need in your new certificates. By duplicating one of the built-in templates that came with our CA server, we were able to build a new template without having to configure every single option from the ground up.
18.217.193.85