Creating a certificate template to prepare for issuing machine certificates to your clients

This recipe is the first hurdle that many new certificate admins bump into. You may have a CA server up and running, but what's next? Before you can start granting certificates to computers and users, you need to establish certificate templates that you are going to publish. You will configure these templates with particular settings, and when a certificate is requested against the template, that new certificate will be built based on the information in the template, combined with the information provided by the certificate requestor.

There are some built-in certificate templates that preinstall when you add the CA role to your server. Some companies utilize these built-in templates for issuing certificates, but it is a better practice to create your own templates. There is no need to start from scratch, though. You can take one of the built-in templates, find one that comes close to meeting your needs, and tweak it to do your bidding with your certificate's needs. This is the process we are going to be taking.

We need to issue machine certificates to each of our systems in the network to authenticate some IPsec tunnels. There are a few criteria we need to meet when it comes to these certificates, and the built-in Computer template comes close to checking all the options that we need. So, we will take that template, copy it, and modify it so that it meets our requirements.

Getting ready

This is a Server 2019 domain environment with a new CA server running in it. We will utilize the CA RSAT console on a Windows 10 machine to accomplish this recipe. The new template that we'll create will be automatically replicated with other CA servers in the domain.

How to do it…

The following steps will help you build a new certificate template:

1. Launch the Certification Authority management console from inside Server Manager or from the Start menu.
2. If you receive the error message stating 1060 ERROR_SERVICE_DOES_NOT_EXIST, that's OK – we just need to add the CA server. Right-click Certification Authority (local) and choose Retarget Certification Authority…. Select Another Computer and enter the server name of your root CA. It may take a minute to connect:
   

   Figure 4.11 – Retarget Certification Authority

3. Expand the name of your CA and click on Certificate Templates. You will see a list of the built-in templates available to us.
4. Right-click on Certificate and choose Manage:
   

   Figure 4.12 – Managing certificate templates on your root CA

5. Right-click on the Computer template and choose Duplicate Template:
   

   Figure 4.13 – Duplicating the Computer template

6. Now, we adjust the options within the certificate template. Any attributes that your certificates must have, you set here in the template properties. As an example, let's configure a few items that our new IPsec certificates must contain to be valid.
7. Go to the General tab and set up a Template display name so that you can identify this new template we are building:
   

   Figure 4.14 – Setting some general properties on a certificate template

8. On the same tab, adjust the field to 2 years.
9. Browse to and select the Subject Name tab and set Common name in the Subject name format field. This will cause the subject name of the certificate to reflect the hostname of the computer that is requesting the certificate. Using the DNS name as the alternate subject name is another requirement that we have been given for our new certificates. You can see it checked in the following screenshot. Since we used the built-in Computer template as our starting point, this checkbox, as well as other requirements that we needed to cover, were already taken care of for us:
   

   Figure 4.15 – The Subject Name tab

10. Click OK. There is now a brand-new certificate template in the list called IPsec Certificate (or whatever name you gave to yours).

How it works…

When installing any new technology that requires certificates to be issued, your first stop should be the certificate templates on your CA server. You need to make sure that you have a template configured with the appropriate settings and switches that you need in your new certificates. By duplicating one of the built-in templates that came with our CA server, we were able to build a new template without having to configure every single option from the ground up.