In Active Directory Certificate Services (AD CS), certificates can be issued and managed through certificate templates. Templates define the purpose, extensions, private key access, security, and many other features for issued certificates. By default, the code signing certificate template is not available in the template list:
The Certificate Templates node in the certsrv console is simply a list of available templates. You can add and remove templates, but their properties are managed in the Certificate Templates snap-in of the Microsoft Management Console (mmc.exe).
Some of the properties of the Code Signing template might require configuration. For example, this type of certificate is set to expire yearly; private keys cannot be exported and the certificate can only be issued to a user (the certificate's subject is set to user). Instead of customizing the built-in template, it is usually preferable to create a new template using the Duplicate Template context option:
For our new template, we set the validity period to 5 years and allow you to export the private key. Feel free to explore these settings, but don't forget to add the certificate in certsrv so that it is available in your CA.
By default, only Domain and Enterprise Admins have access to issue certificates. For the following examples, we will give our scripting account Read and Enroll permissions for our template.