Certificate Templates Structure
Total Page:16
File Type:pdf, Size:1020Kb
[MS-CRTD]: Certificate Templates Structure
Intellectual Property Rights Notice for Open Specifications Documentation § Technical Documentation. Microsoft publishes Open Specifications documentation (“this documentation”) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions. § Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation. § No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation. § Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting [email protected]. § License Programs. To see all of the protocols in scope under a specific license program and the associated patents, visit the Patent Map. § Trademarks. The names of companies and products contained in this documentation might be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks. § Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
1 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise. Tools. The Open Specifications documentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standards specifications and network programming art and, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it. Support. For questions and support, please contact [email protected].
2 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Revision Summary Revision Revision Date History Class Comments
12/18/2006 0.1 New Version 0.1 release
3/2/2007 1.0 Major Version 1.0 release
4/3/2007 1.1 Minor Version 1.1 release
5/11/2007 1.2 Minor Version 1.2 release
6/1/2007 2.0 Major Updated and revised the technical content.
7/3/2007 2.0.1 Editorial Changed language and formatting in the technical content.
7/20/2007 2.0.2 Editorial Changed language and formatting in the technical content.
8/10/2007 2.0.3 Editorial Changed language and formatting in the technical content.
9/28/2007 2.1 Minor Clarified the meaning of the technical content.
10/23/2007 3.0 Major Updated and revised the technical content.
11/30/2007 3.1 Minor Updated a normative reference.
1/25/2008 3.1.1 Editorial Changed language and formatting in the technical content.
3/14/2008 4.0 Major Updated and revised the technical content.
5/16/2008 4.0.1 Editorial Changed language and formatting in the technical content.
6/20/2008 5.0 Major Updated and revised the technical content.
7/25/2008 5.0.1 Editorial Changed language and formatting in the technical content.
8/29/2008 5.1 Minor Clarified the meaning of the technical content.
10/24/2008 5.2 Minor Clarified the meaning of the technical content.
12/5/2008 5.2.1 Editorial Editorial Update.
1/16/2009 6.0 Major Updated and revised the technical content.
2/27/2009 7.0 Major Updated and revised the technical content.
4/10/2009 8.0 Major Updated and revised the technical content.
5/22/2009 8.1 Minor Clarified the meaning of the technical content.
7/2/2009 8.1.1 Editorial Changed language and formatting in the technical content.
8/14/2009 9.0 Major Updated and revised the technical content.
9/25/2009 10.0 Major Updated and revised the technical content.
11/6/2009 11.0 Major Updated and revised the technical content.
12/18/2009 11.0.1 Editorial Changed language and formatting in the technical content.
1/29/2010 12.0 Major Updated and revised the technical content.
3/12/2010 13.0 Major Updated and revised the technical content.
4/23/2010 13.0.1 Editorial Changed language and formatting in the technical content.
6/4/2010 14.0 Major Updated and revised the technical content.
7/16/2010 15.0 Major Updated and revised the technical content.
8/27/2010 15.1 Minor Clarified the meaning of the technical content.
No changes to the meaning, language, or formatting of the 10/8/2010 15.1 None technical content.
11/19/2010 16.0 Major Updated and revised the technical content.
No changes to the meaning, language, or formatting of the 1/7/2011 16.0 None technical content.
3 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Revision Revision Date History Class Comments
No changes to the meaning, language, or formatting of the 2/11/2011 16.0 None technical content.
No changes to the meaning, language, or formatting of the 3/25/2011 16.0 None technical content.
5/6/2011 17.0 Major Updated and revised the technical content.
6/17/2011 17.1 Minor Clarified the meaning of the technical content.
No changes to the meaning, language, or formatting of the 9/23/2011 17.1 None technical content.
12/16/2011 18.0 Major Updated and revised the technical content.
No changes to the meaning, language, or formatting of the 3/30/2012 18.0 None technical content.
No changes to the meaning, language, or formatting of the 7/12/2012 18.0 None technical content.
10/25/2012 19.0 Major Updated and revised the technical content.
No changes to the meaning, language, or formatting of the 1/31/2013 19.0 None technical content.
8/8/2013 20.0 Major Updated and revised the technical content.
No changes to the meaning, language, or formatting of the 11/14/2013 20.0 None technical content.
2/13/2014 21.0 Major Updated and revised the technical content.
No changes to the meaning, language, or formatting of the 5/15/2014 21.0 None technical content.
6/30/2015 22.0 Major Significantly changed the technical content.
No changes to the meaning, language, or formatting of the 10/16/2015 22.0 None technical content.
No changes to the meaning, language, or formatting of the 7/14/2016 22.0 None technical content.
No changes to the meaning, language, or formatting of the 6/1/2017 22.0 None technical content.
9/15/2017 23.0 Major Significantly changed the technical content.
4 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Table of Contents
5 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1 Introduction This document specifies the syntax and interpretation of certificate templates. While not strictly a protocol, the templates form the basis of certificate management for the Windows Client Certificate Enrollment Protocol. This specification consists of attributes that are accessed by using Lightweight Directory Access Protocol (LDAP), as specified in [RFC2251]. These attributes allow clients to define the behavior of a certificate authority (CA) when processing certificate requests. Familiarity with the Windows Client Certificate Enrollment Protocol Specification is required for a complete understanding of this specification. Sections 1.7 and 2 of this specification are normative. All other sections and examples in this specification are informative.
1.1 Glossary This document uses the following terms: access control entry (ACE): An entry in an access control list (ACL) that contains a set of user rights and a security identifier (SID) that identifies a principal for whom the rights are allowed, denied, or audited. access control list (ACL): A list of access control entries (ACEs) that collectively describe the security rules for authorizing access to some resource; for example, an object or set of objects. Active Directory: A general-purpose network directory service. Active Directory also refers to the Windows implementation of a directory service. Active Directory stores information about a variety of objects in the network. User accounts, computer accounts, groups, and all related credential information used by the Windows implementation of Kerberos are stored in Active Directory. Active Directory is either deployed as Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). [MS-ADTS] describes both forms. For more information, see [MS-AUTHSOD] section 1.1.1.5.2, Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Kerberos, and DNS. asymmetric algorithm: A synonym for public key algorithm. For an introduction to these concepts and related terminology, see [PUBKEY] and [RSAFAQ]. For more information, also see public key algorithm. attestation: A process of establishing some property of a computer platform or of a trusted platform module (TPM) key, in part through TPM cryptographic operations. attribute: An identifier for a single or multivalued data element that is associated with a directory object. An object consists of its attributes and their values. For example, cn (common name), street (street address), and mail (email addresses) can all be attributes of a user object. An attribute's schema, including the syntax of its values, is defined in an attributeSchema object.
6 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 autoenrollment: An automated process that performs certificate enrollment and renewal. For more information about autoenrollment behavior, see [MS-CERSOD]. certificate: A certificate is a collection of attributes and extensions that can be stored persistently. The set of attributes in a certificate can vary depending on the intended usage of the certificate. A certificate securely binds a public key to the entity that holds the corresponding private key. A certificate is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. Certificates are digitally signed by the issuing certification authority (CA) and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standards. For more information about attributes and extensions, see [RFC3280] and [X509] sections 7 and 8. certificate enrollment: The process of acquiring a digital certificate from a certificate authority (CA), which typically requires an end entity to first makes itself known to the CA (either directly, or through a registration authority). This certificate and its associated private key establish a trusted identity for an entity that is using the public key–based services and applications. Also referred to as simply "enrollment". certificate renewal request: An enrollment request for a new certificate where the request is signed using an existing certificate. The renewal request can use the key pair from the existing certificate or a new key pair. After the new certificate has been issued, it is meant (but not required) to replace the older certificate (a renewed certificate). certificate template: A list of attributes that define a blueprint for creating an X.509 certificate. It is often referred to in non-Microsoft documentation as a "certificate profile". A certificate template is used to define the content and purpose of a digital certificate, including issuance requirements (certificate policies), implemented X.509 extensions such as application policies, key usage, or extended key usage as specified in [X509], and enrollment permissions. Enrollment permissions define the rules by which a certification authority (CA) will issue or deny certificate requests. In Windows environments, certificate templates are stored as objects in the Active Directory and used by Microsoft enterprise CAs. certification authority (CA): A third party that issues public key certificates. Certificates serve to bind public keys to a user identity. Each user and certification authority (CA) can decide whether to trust another user or CA for a specific purpose, and whether this trust should be transitive. For more information, see [RFC3280]. common name (CN): A string attribute of a certificate that is one component of a distinguished name (DN). In Microsoft Enterprise uses, a CN must be unique within the forest where it is defined and any forests that share trust with the defining forest. The website or email address of
7 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 the certificate owner is often used as a common name. Client applications often refer to a certification authority (CA) by the CN of its signing certificate. cryptographic service provider (CSP): A software module that implements cryptographic functions for calling applications that generates digital signatures. Multiple CSPs may be installed. A CSP is identified by a name represented by a NULL-terminated Unicode string. digital signature: A message authenticator that is typically derived from a cryptographic operation by using an asymmetric algorithm and private key. When a symmetric algorithm is used for this purpose, the authenticator is typically referred to as a Message Authentication Code (MAC). directory: The database that stores information about objects such as users, groups, computers, printers, and the directory service that makes this information available to users and applications. discretionary access control list (DACL): An access control list (ACL) that is controlled by the owner of an object and that specifies the access particular users or groups can have to the object. distinguished name (DN): In Lightweight Directory Access Protocol (LDAP), an LDAP Distinguished Name, as described in [RFC2251] section 4.1.3. The DN of an object is the DN of its parent, preceded by the RDN of the object. For example: CN=David Thompson, OU=Users, DC=Microsoft, DC=COM. For definitions of CN and OU, see [RFC2256] sections 5.4 and 5.12, respectively. domain: A set of users and computers sharing a common namespace and management infrastructure. At least one computer member of the set must act as a domain controller (DC) and host a member list that identifies all members of the domain, as well as optionally hosting the Active Directory service. The domain controller provides authentication of members, creating a unit of trust for its members. Each domain has an identifier that is shared among its members. For more information, see [MS-AUTHSOD] section 1.1.1.5 and [MS-ADTS]. domain controller (DC): The service, running on a server, that implements Active Directory, or the server hosting this service. The service hosts the data store for objects and interoperates with other DCs to ensure that a local change to an object replicates correctly across all DCs. When Active Directory is operating as Active Directory Domain Services (AD DS), the DC contains full NC replicas of the configuration naming context (config NC), schema naming context (schema NC), and one of the domain NCs in its forest. If the AD DS DC is a global catalog server (GC server), it contains partial NC replicas of the remaining domain NCs in its forest. For more information, see [MS-AUTHSOD] section 1.1.1.5.2 and [MS-ADTS]. When Active Directory is operating as Active Directory Lightweight Directory Services (AD LDS), several AD LDS DCs can run on one server. When Active Directory is operating as AD DS,
8 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 only one AD DS DC can run on one server. However, several AD LDS DCs can coexist with one AD DS DC on one server. The AD LDS DC contains full NC replicas of the config NC and the schema NC in its forest. The domain controller is the server side of Authentication Protocol Domain Support [MS-APDS]. enroll: To request and acquire a digital certificate from a certificate authority (CA). This is typically accomplished through a certificate enrollment process. Enroll On Behalf Of (EOBO): A proxy enrollment process in which one user, typically an administrator, enrolls for a certificate for a second user by using the administrator credentials. enrollment permissions: A list of administrator-defined rights or access control lists (ACLs) that define the capability of a given client (user, machine, or device). Enrollment permissions can define a client capability to read a certificate template, write a certificate template, enroll for a certificate based on a specified certificate template, auto- enroll for a certificate based on a specified certificate template, or change permissions on a certificate template. Enrollment permissions are stored on a certificate template and are enforced by the certificate authority (CA). For more information, see [MSFT-TEMPLATES]. enterprise certificate authority (enterprise CA): A certificate authority (CA) that is a member of a domain and that uses the domain's Active Directory service to store policy, authentication, and other information related to the operation of the CA. Specifically, the enterprise CA is a server implementation of the Windows Client Certificate Enrollment Protocol that uses the certificate template data structure (see [MS-CRTD]) in its CA policy algorithm implementation. fully qualified domain name (FQDN): In Active Directory, a fully qualified domain name (FQDN) that identifies a domain. key: In cryptography, a generic term used to refer to cryptographic data that is used to initialize a cryptographic algorithm. Keys are also sometimes referred to as keying material. key archival: The process by which the entity requesting the certificate also submits the private key during the process. The private key is encrypted such that only a key recovery agent can obtain it, preventing accidental disclosure, but preserving a copy in case the entity is unable or unwilling to decrypt data. key recovery agent (KRA): A user, machine, or registration authority that has enrolled and obtained a key recovery certificate. A KRA is any entity that possesses a KRA private key and certificate. For more information on KRAs and the archival process, see [MSFT-ARCHIVE]. Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update
9 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377]. NetBIOS name: A 16-byte address that is used to identify a NetBIOS resource on the network. For more information, see [RFC1001] and [RFC1002]. object: In Active Directory, an entity consisting of a set of attributes, each attribute with a set of associated values. For more information, see [MS- ADTS]. See also directory object. object identifier (OID): In the context of a directory service, a number identifying an object class or attribute. Object identifiers are issued by the ITU and form a hierarchy. An OID is represented as a dotted decimal string (for example, "1.2.3.4"). For more information on OIDs, see [X660] and [RFC3280] Appendix A. OIDs are used to uniquely identify certificate templates available to the certification authority (CA). Within a certificate, OIDs are used to identify standard extensions, as described in [RFC3280] section 4.2.1.x, as well as non-standard extensions. private key: One of a pair of keys used in public-key cryptography. The private key is kept secret and is used to decrypt data that has been encrypted with the corresponding public key. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1. public key: One of a pair of keys used in public-key cryptography. The public key is distributed freely and published as part of a digital certificate. For an introduction to this concept, see [CRYPTO] section 1.8 and [IEEE1363] section 3.1. registration authority (RA): The authority in a PKI that verifies user requests for a digital certificate and indicates to the certificate authority (CA) that it is acceptable to issue a certificate. revocation: The process of invalidating a certificate. For more details, see [RFC3280] section 3.3. Secure/Multipurpose Internet Mail Extensions (S/MIME): A standard for encrypted and digitally signed electronic mail that allows users to send encrypted messages and authenticate received messages. security descriptor: A data structure containing the security information associated with a securable object. A security descriptor identifies an object's owner by its security identifier (SID). If access control is configured for the object, its security descriptor contains a discretionary access control list (DACL) with SIDs for the security principals who are allowed or denied access. Applications use this structure to set and query an object's security status. The security descriptor is used to guard access to an object as well as to control which type of auditing takes place when the object is accessed. The security descriptor format is specified in [MS-DTYP] section 2.4.6; a string representation of security descriptors, called SDDL, is specified in [MS-DTYP] section 2.5.1.
10 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 security identifier (SID): An identifier for security principals that is used to identify an account or a group. Conceptually, the SID is composed of an account authority portion (typically a domain) and a smaller integer representing an identity relative to the account authority, termed the relative identifier (RID). The SID format is specified in [MS-DTYP] section 2.4.2; a string representation of SIDs is specified in [MS-DTYP] section 2.4.2 and [MS-AZOD] section 1.1.1.2. symmetric algorithm: A cryptographic algorithm that uses one secret key that can be shared between authorized parties. The key must be kept secret between communicating parties. The same key is used for both encryption and decryption. For an introduction to this concept and terminology, see [CRYPTO] section 1.5, [IEEE1363] section 3, and [SP800-56A] section 3.1. symmetric key: A secret key used with a cryptographic symmetric algorithm. The key needs to be known to all communicating parties. For an introduction to this concept, see [CRYPTO] section 1.5. MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as defined in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.
1.2 References Links to a document in the Microsoft Open Specifications library point to the correct section in the most recently published version of the referenced document. However, because individual documents in the library are not updated at the same time, the section numbers in the documents may not match. You can confirm the correct section numbering by checking the Errata.
1.2.1 Normative References We conduct frequent surveys of the normative references to assure their continued availability. If you have any issue with finding a normative reference, please contact [email protected]. We will assist you in finding the relevant information. [MS-ADA1] Microsoft Corporation, "Active Directory Schema Attributes A-L".
[MS-ADA2] Microsoft Corporation, "Active Directory Schema Attributes M".
[MS-ADA3] Microsoft Corporation, "Active Directory Schema Attributes N-Z".
[MS-ADSC] Microsoft Corporation, "Active Directory Schema Classes".
[MS-ADTS] Microsoft Corporation, "Active Directory Technical Specification".
[MS-DTYP] Microsoft Corporation, "Windows Data Types".
[MS-WCCE] Microsoft Corporation, "Windows Client Certificate Enrollment Protocol".
11 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 [PKCS12] RSA Laboratories, "PKCS #12: Personal Information Exchange Syntax Standard", PKCS #12, Version 1.0, http://www.emc.com/emc- plus/rsa-labs/standards-initiatives/pkcs12-personal-information-exchange- syntax-standard.htm
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, http://www.rfc- editor.org/rfc/rfc2119.txt
[RFC2251] Wahl, M., Howes, T., and Kille, S., "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997, http://www.ietf.org/rfc/rfc2251.txt
[RFC2560] Myers, M., Ankney, R., Malpani, A., Glaperin, S., and Adams, C., "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP", RFC 2560, June 1999, http://www.ietf.org/rfc/rfc2560.txt
[RFC3280] Housley, R., Polk, W., Ford, W., and Solo, D., "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3280, April 2002, http://www.ietf.org/rfc/rfc3280.txt
[RFC4262] Santesson, S., "X.509 Certificate Extension for Secure/Multipurpose Internet Mail Extensions (S/MIME) Capabilities", RFC 4262, December 2005, http://www.ietf.org/rfc/rfc4262.txt
[RFC4523] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates", RFC 4523, June 2006, http://www.rfc- editor.org/rfc/rfc4523.txt
1.2.2 Informative References [MS-CERSOD] Microsoft Corporation, "Certificate Services Protocols Overview".
[MSDN-KEY] Microsoft Corporation, "CERT_KEY_CONTEXT structure", http://msdn.microsoft.com/en-us/library/aa377205.aspx
1.3 Overview This specification defines the syntax and interpretation of certificate templates. Certificate templates are data structures that specify how certificate requests and certificates are constructed and issued as documented in [MS-WCCE]. The structures also provide settings that influence the behavior of the computer certificate autoenrollment feature that is described in [MS-CERSOD]. Certificate templates are stored as objects in Active Directory. The Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE], is documented separately. Windows Client Certificate Enrollment Protocol is the protocol by which clients request certificates from the CA and by which any issued certificates are returned to the client. Certificate templates can be thought of as playing a part in that protocol because of their abilities to
12 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 constrain behaviors of the CAs; otherwise, interactions between templates and the Windows Client Certificate Enrollment Protocol are not limited. A client in the Windows Client Certificate Enrollment Protocol can specify a template for the CA to use in building a certificate, but in that context, a template is just another complex data structure that is passed as a parameter to a Windows Client Certificate Enrollment Protocol method.
1.4 Relationship to Other Protocols and Other Structures When used, certificate templates control the behavior of the CA that is accessed by the Windows Client Certificate Enrollment Protocol, as specified in [MS-WCCE], by specifying enrollment policies. If templates are not used, the CA behavior and the conduct of the Windows Client Certificate Enrollment Protocol are unconstrained. LDAP, as specified in [MS-ADTS], is the protocol that retrieves the certificate templates. The process of storing templates in the directory is an implementation-specific detail and is not specified in this document.
1.5 Applicability Statement The data structure specified in this protocol specification is applicable to an environment that enables clients to interact with a CA to enroll or manage X.509 certificates. Certificate templates are only appropriate in an Active Directory domain configuration, as specified in [MS-ADTS]. The protocol (carrying templates) is only used to communicate from computers in the domain to a domain controller (DC) for the domain.
1.6 Versioning and Localization To determine the certificate template schema version, clients and servers read the msPKI-Template-Schema-Version attribute on the certificate template object. For more information, see section 2.16.<1>
1.7 Vendor-Extensible Fields None.
13 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 2 Structures The PKI-Certificate-Template class ([MS-ADSC] section 2.221) is the Active Directory schema class that is used for storing template information and attributes. PKI-Certificate-Template is a container in which all subsequent properties are contained. All attributes defined later in this section are identified by their ldapDisplayName and are case-insensitive.
2.1 cn Attribute The cn attribute is the common name (CN) of the certificate template.<2> For schema details of this attribute, see [MS-ADA1] section 2.110.
2.2 displayName Attribute The displayName attribute is the display name of a certificate template.<3> For schema details of this attribute, see [MS-ADA1] section 2.175.
2.3 distinguishedName Attribute The distinguishedName attribute is the distinguished name (DN) of the certificate template.<4> For schema details of this attribute, see [MS- ADA1] section 2.177.
2.4 flags Attribute The flags attribute is the general-enrollment flags attribute. These flags are communicated as an integer value of this attribute.<5> The attribute value can be 0, or it can consist of a bitwise OR of flags from the following table. Flag Meaning
0x00000020 This flag is the same as CT_FLAG_AUTO_ENROLLMENT specified in section CT_FLAG_AUTO_ENROLLMENT 2.26.
0x00000040 This flag indicates that this certificate template is for an end entity that CT_FLAG_MACHINE_TYPE represents a machine.
0x00000080 This flag indicates a certificate request for a CA certificate. CT_FLAG_IS_CA
0x00000200 This flag indicates that a certificate based on this section needs to include a CT_FLAG_ADD_TEMPLATE_NAME template name certificate extension.
0x00000800 This flag indicates a certificate request for cross-certifying a certificate. CT_FLAG_IS_CROSS_CA Processing rules for this flag are specified in [MS-WCCE] sections 3.1.2.4.2.2.1.1 and 3.2.2.6.2.1.4.4.1.
0x00010000 This flag indicates that the template SHOULD not be modified in any way; it is CT_FLAG_IS_DEFAULT not used by the client or server in the Windows Client Certificate Enrollment Protocol.
0x00020000 This flag indicates that the template MAY be modified if required; it is not CT_FLAG_IS_MODIFIED used by the client or server in the Windows Client Certificate Enrollment Protocol.
0x00000400 This flag indicates that the record of a certificate request for a certificate that CT_FLAG_DONOTPERSISTINDB is issued need not be persisted by the CA.<6>
0x00000002 Reserved. All protocols MUST ignore this flag.
14 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Flag Meaning
CT_FLAG_ADD_EMAIL
0x00000008 Reserved. All protocols MUST ignore this flag. CT_FLAG_PUBLISH_TO_DS
0x00000010 Reserved. All protocols MUST ignore this flag. CT_FLAG_EXPORTABLE_KEY For schema details of this attribute, see [MS-ADA1] section 2.231.
2.5 ntSecurityDescriptor Attribute The ntSecurityDescriptor attribute ([MS-ADA3] section 2.37) is a security descriptor as specified in [MS-DTYP] section 2.4.6.<7> The discretionary access control list (DACL) field of the security descriptor is an access control list (ACL) (as specified in [MS-DTYP] section 2.4.5) that specifies the permission set for this certificate template. Each access control entry (ACE) (as specified in [MS-DTYP] section 2.4.4) in the ACL specifies access rights. The data structure in this attribute supports all types of ACE. However, the Windows Client Certificate Enrollment Protocol uses only two predefined permissions: Enroll and AutoEnroll. The AutoEnroll permission instructs the Windows autoenrollment client to enroll for that template automatically.
2.5.1 Determining Enrollment Permission of an End Entity for a Template Following are the processing rules to determine enrollment for end entities on a certificate template. The protocol behavior for these permissions is specified in [MS-WCCE] section 3.2.2.6.2.1.4.3 "Verify End Entity Permissions". Input Parameters: § Template_ntSecurityDescriptor: The ntSecurityDescriptor attribute of the input template. § Requester_SID: Contains the security identifier (SID) ([MS-DTYP] section 2.4.2) of the end entity. Output Parameter: This parameter can be either TRUE or FALSE. Processing Rules: An entity (Active Directory user or group) has enrollment permission and output parameter is set to TRUE if the DACL of the security descriptor that is stored in input parameter Template_ntSecurityDescriptor contains an ACE that satisfies either one of the following sets of characteristics: It has an object allowed ACE (see [MS-DTYP] section 2.4.4.3) that satisfies all of the following conditions: § The Requester_SID input parameter is identical to the SID associated with this ACE. § The AceType field of the ACE_HEADER structure (as specified in [MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_OBJECT_ACE. This implies that it is an ACCESS_ALLOWED_OBJECT_ACE structure, as specified in [MS-DTYP] section 2.4.4.3. § The Mask field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST have the bits set as specified by the X in the following diagram.
15 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 X
§ The ObjectType field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST be identical to the Enroll GUID in the following table. GUID is defined in [MS-DTYP] section 2.3.4. Or, It has an allowed ACE (see [MS-DTYP] section 2.4.4.2) that satisfies all the following conditions: § The Requester SID input parameter is identical to the SID associated with this ACE. § The AceType field of the ACE_HEADER structure (as specified in [MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_ACE_TYPE. This implies that it is an ACCESS_ALLOWED_ACE structure, as specified in [MS-DTYP] section 2.4.4.2. § The Mask field of the ACCESS_ALLOWED_ACE structure MUST have the bits set as specified by the X in the following diagram. 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 X
An entity is denied enrollment permissions if the DACL of the security descriptor that is stored in input parameter Template_ntSecurityDescriptor has the same ACE as previously described, except that the AceType field is set to ACCESS_DENIED_OBJECT_ACE_TYPE.
2.5.2 Determining Autoenrollment Permission of an End Entity for a Template Following are the processing rules to determine enrollment for end entities on a certificate template. Input Parameters: § Template_ntSecurityDescriptor: The ntSecurityDescriptor attribute of the input template. § Requester_SID: Contains the SID ([MS-DTYP] section 2.4.2) of the end entity. Output Parameter: This parameter can be either TRUE or FALSE. Processing Rules: An entity (Active Directory user or group) has AutoEnroll permission and output parameter is set to TRUE if the DACL of the input parameter Template_ntSecurityDescriptor contains an ACE that satisfies either one of the following sets of characteristics: It has an object allowed ACE that satisfies all of the following conditions: § The Requester_SID input parameter is identical to the SID associated with this ACE. § The AceType field of the ACE_HEADER structure (as specified in [MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_OBJECT_ACE_TYPE.
16 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 This implies that it is an ACCESS_ALLOWED_OBJECT_ACE structure, as specified in [MS-DTYP] section 2.4.4.3. § The Mask field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST have the bits set as specified by the X in the following diagram. 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 X
§ The ObjectType field of the ACCESS_ALLOWED_OBJECT_ACE structure MUST be identical to the AutoEnroll GUID in the following table. Or, It has an allowed ACE that satisfies all the following conditions: § The Requester_SID input parameter is identical to the SID associated with this ACE. § The AceType field of the ACE_HEADER structure (as specified in [MS-DTYP] section 2.4.4.1) is ACCESS_ALLOWED_ACE_TYPE. This implies that it is an ACCESS_ALLOWED_ACE structure, as specified in [MS-DTYP] section 2.4.4.2. § The Mask field of the ACCESS_ALLOWED_ACE structure MUST have the bits set as specified by the X in the following diagram. 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 X
An entity is denied AutoEnroll permissions if the DACL of the security descriptor that is stored in input parameter Template_ntSecurityDescriptor has the same ACE as previously described except that the AceType field is set to ACCESS_DENIED_OBJECT_ACE_TYPE. The following table lists the predefined GUIDs for the ObjectType field of these ACCESS_ALLOWED_OBJECT_ACE structures. Rights and GUID Permission
CR; 0e10c968-78fb-11d2-90d4-00c04f79dc55 Enroll
CR; a05b8cc2-17bc-4802-a710-e7c15ab866a2 AutoEnroll
2.5.3 Sets of Permission Bits If an administrator wants to set permissions for a certificate template, the combined effect of three sets of permission bits can be meaningful: Read, Write, and Full Control. § Read permission An entity (Active Directory user or group) has Read permission if the DACL of the security descriptor that is stored in the ntSecurityDescriptor attribute contains an ACE that has the following characteristics:
17 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 § The entity has a SID (as specified in [MS-DTYP] section 2.4.2) that is identical to the SID associated with this ACE. § The AceType field of the ACE_HEADER structure (as specified in [MS- DTYP] section 2.4.4.1) is ACCESS_ALLOWED_ACE_TYPE. § The Mask field of the ACCESS_ALLOWED_ACE_TYPE structure MUST have the following bits set: § RC as specified in [MS-DTYP] section 2.4.3 § LC as specified in [MS-ADTS] section 5.1.3.2 § RP as specified in [MS-ADTS] section 5.1.3.2 § Write permission An entity (Active Directory user or group) has Write permission if the DACL of the security descriptor that is stored in the ntSecurityDescriptor attribute contains an ACE that has the following characteristics: § The entity has a SID (as specified in [MS-DTYP] section 2.4.2) that is identical to the SID associated with this ACE. § The AceType field of the ACE_HEADER structure (as specified in [MS- DTYP] section 2.4.4.1) is ACCESS_ALLOWED_ACE_TYPE. § The Mask field of the ACCESS_ALLOWED_ACE_TYPE structure MUST have the following bits set: § WO as specified in [MS-DTYP] section 2.4.3 § WD as specified in [MS-DTYP] section 2.4.3 § WP as specified in [MS-ADTS] section 5.1.3.2 § Full Control permission An entity (Active Directory user or group) has Full Control permission if the DACL of the security descriptor that is stored in this attribute contains an ACE that has the following characteristics: § The entity has a SID (as specified in [MS-DTYP] section 2.4.2) that is identical to the SID associated with this ACE. § The AceType field of the ACE_HEADER structure (as specified in [MS- DTYP] section 2.4.4.1) is ACCESS_ALLOWED_ACE_TYPE. § The Mask field of the ACCESS_ALLOWED_ACE_TYPE structure MUST have the following bits set: § RC as specified in [MS-DTYP] section 2.4.3 § WO as specified in [MS-DTYP] section 2.4.3 § WD as specified in [MS-DTYP] section 2.4.3 § DE as specified in [MS-DTYP] section 2.4.3 § CC as specified in [MS-ADTS] section 5.1.3.2 § DC as specified in [MS-ADTS] section 5.1.3.2 § LC as specified in [MS-ADTS] section 5.1.3.2 § VW as specified in [MS-ADTS] section 5.1.3.2 § RP as specified in [MS-ADTS] section 5.1.3.2 § WP as specified in [MS-ADTS] section 5.1.3.2 § DT as specified in [MS-ADTS] section 5.1.3.2 § LO as specified in [MS-ADTS] section 5.1.3.2 § CR as specified in [MS-ADTS] section 5.1.3.2
18 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 2.6 revision Attribute The revision attribute is the major version of the template.<8> For more information and examples regarding usage, see [MS-WCCE] sections 3.1.2.4.2.2.1.9 and 3.2.2.6.2.1.4.2. For schema details of this attribute, see [MS-ADA3] section 2.199.
2.7 pKICriticalExtensions Attribute The pKICriticalExtensions attribute is a list of OIDs that identify extensions that MUST have critical flags enabled, if present, in an issued certificate. For more information about critical extensions, see [RFC3280] section 4.2.<9> For schema details of this attribute, see [MS-ADA3] section 2.95.
2.8 pKIDefaultCSPs Attribute The pKIDefaultCSPs attribute is a list of cryptographic service providers (CSPs) that are used to create the private key and public key.<10> Each list element MUST be in the following format: intNum,
2.9 pKIDefaultKeySpec Attribute The following table shows the values that are allowed for the pKIDefaultKeySpec attribute.<11> Value Meaning
1 AT_KEYEXCHANGE – Keys used to encrypt/decrypt session keys.
2 AT_SIGNATURE – Keys used to create and verify digital signatures. For schema details of this attribute, see [MS-ADA3] section 2.97.
2.10 pKIEnrollmentAccess Attribute The pKIEnrollmentAccess attribute is not used by any protocol.<12> For schema details of this attribute, see [MS-ADA3] section 2.98.
2.11 pKIExpirationPeriod Attribute The pKIExpirationPeriod attribute represents the maximum validity period of the certificate.<13> The attribute is an 8-byte octet string that initializes the FILETIME structure defined in [MS-DTYP] section 2.3.3.
19 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 For schema details of this attribute, see [MS-ADA3] section 2.99.
2.12 pKIExtendedKeyUsage Attribute The pKIExtendedKeyUsage attribute is a list of OIDs that represent extended key usages, as specified in [RFC3280] section 4.2.1.13.<14> For schema details of this attribute, see [MS-ADA3] section 2.100.
2.13 pKIKeyUsage Attribute The pKIKeyUsage attribute is a key usage extension.<15> For schema details of this attribute, see [MS-ADA3] section 2.101.
2.14 pKIMaxIssuingDepth Attribute The pKIMaxIssuingDepth attribute is the maximum depth value for the Basic Constraint extension, as specified in [RFC3280] section 4.2.1.10.<16> For schema details of this attribute, see [MS-ADA3] section 2.102.
2.15 pKIOverlapPeriod Attribute The pKIOverlapPeriod attribute represents the time before a certificate expires, during which time, clients need to send a certificate renewal request, as described in [MS-CERSOD] sections 2.5.2, 2.5.3.1, and 3.5. The attribute is an 8-byte octet string that initializes the FILETIME structure that is defined in [MS-DTYP] section 2.3.3. For schema details of this attribute, see [MS-ADA3] section 2.103.
2.16 msPKI-Template-Schema-Version Attribute The msPKI-Template-Schema-Version attribute specifies the schema version of the templates. The allowed values are 1, 2, 3, and 4.<17> For schema details of this attribute, see [MS-ADA2] section 2.608.
2.17 msPKI-Template-Minor-Revision Attribute The msPKI-Template-Minor-Revision attribute specifies the minor version of the templates.<18> Supported values are 0 to 0x7fffffff. For schema details of this attribute, see [MS-ADA2] section 2.607.
2.18 msPKI-RA-Signature Attribute The msPKI-RA-Signature attribute specifies the number of recovery agent signatures that are required on a request that references this template.<19> For schema details of this attribute, see [MS-ADA2] section 2.604.
2.19 msPKI-Minimal-Key-Size Attribute The msPKI-Minimal-Key-Size attribute specifies the minimum size, in bits, of the public key that the client creates to obtain a certificate based on this template.<20> For schema details of this attribute, see [MS-ADA2] section 2.596.
20 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 2.20 msPKI-Cert-Template-OID Attribute The msPKI-Cert-Template-OID attribute specifies the object identifier (OID) of this template.<21> For schema details of this attribute, see [MS-ADA2] section 2.589.
2.21 msPKI-Supersede-Templates Attribute The msPKI-Supersede-Templates attribute that contains the CNs of all superseded templates.<22> For schema details of this attribute, see [MS- ADA2] section 2.606.
2.22 msPKI-RA-Policies Attribute The msPKI-RA-Policies attribute is a multistring attribute that specifies a set of certificate policy OIDs, as specified in [RFC3280] section 4.2.1.5, for the registration authority (RA) certificates.<23> For schema details of this attribute, see [MS-ADA2] section 2.603.
2.23 msPKI-RA-Application-Policies Attribute The msPKI-RA-Application-Policies attribute encapsulates embedded properties for multipurpose use. The syntax for the data that is stored in this attribute is different, depending on the schema version for the template. The schema version of the template is stored in the msPKI-Template-Schema-Version attribute of the certificate template, as described in section 2.16.<24>
2.23.1 Syntax Option 1 Note An alternative scenario for template schema version 4 is defined in section 2.23.2. If either of the following is true: § The template version is 1 or 2. § The template version is 4 and the template has the CT_FLAG_USE_LEGACY_PROVIDER bit of the msPKI-Private-Key-Flag attribute set. Then the msPKI-RA-Application-Policies attribute contains multistring attributes that specify a set of application policy OIDs for the RA certificates. Application policy OIDs are the same as extended key usage OIDs, as specified in [RFC3280] section 4.2.1.13.
2.23.2 Syntax Option 2 Note An alternative scenario for template schema version 4 is defined in section 2.23.1. If either of the following is true: § The template is version 3. § The template version is 4 and the template does not have the CT_FLAG_USE_LEGACY_PROVIDER bit of the msPKI-Private-Key-Flag attribute set.
21 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Then the msPKI-RA-Application-Policies attribute contains a string of property- type-value triplets that are separated by a grave accent (`) character. Each triplet for this attribute has the following format.
3 Name`Type`Value`
Where: Tag Description
Name The property name. This value MUST be one of the property names in the following list.
Type The Type MUST be "DWORD" or "PZPWSTR". If "DWORD" is used, the Value field contains a Unicode string representation of a positive decimal number. If "PZPWSTR" is used, the Value field contains a Unicode string.
Value The value of the parameter.
` A delimiter symbol separator. The property name MUST be one of the following: § msPKI-RA-Application-Policies: A string value that represents a set of application policy OIDs (comma-separated) for the RA certificates. Application policy OIDs are the same as extended key usage OIDs, as specified in [RFC3280] section 4.2.1.13. The type MUST be "PZPWSTR". § msPKI-Asymmetric-Algorithm: A string value that represents the name of the asymmetric algorithm. The type MUST be "PZPWSTR". § msPKI-Key-Security-Descriptor: A Security Descriptor Description Language (SDDL) string that represents the security descriptor (as specified in [MS-DTYP] section 2.5.1) for the asymmetric key. The type MUST be "PZPWSTR". § msPKI-Symmetric-Algorithm: A string value that represents the name of the symmetric algorithm that clients use for key exchanges. The type MUST be "PZPWSTR". § msPKI-Symmetric-Key-Length: An unsigned integer value that represents the length, in bits, of the symmetric key. The type MUST be DWORD. § msPKI-Hash-Algorithm: A string value that represents the name of the hash algorithm that clients use. The type MUST be "PZPWSTR". § msPKI-Key-Usage: An unsigned integer value that represents how the private key is used (see [MS-WCCE] section 3.1.2.4.2.2.2.5). The type MUST be DWORD. A bitwise OR of the following flags is supported for this property. Name Value Meaning
NCRYPT_ALLOW_DECRYPT_FLAG 0x00000001 The private key can be used to perform a decryption operation.
NCRYPT_ALLOW_SIGNING_FLAG 0x00000002 The private key can be used to perform a signature operation.
ALLOW_KEY_AGREEMENT_FLAG 0x00000004 The private key can be used to perform a key-agreement operation.
NCRYPT_ALLOW_ALL_USAGES 0x00ffffff The private key is not restricted to any specific cryptographic operations.
22 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 For example:
4 msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash-Algorithm`PZPWSTR`SHA1`msPKI-
5 Key-Usage`DWORD`2`msPKI-RA-Application-Policies`PZPWSTR`1.3.6.1.4.1.311.10.3.8`
For schema details of this attribute, see [MS-ADA2] section 2.602.
5.1 msPKI-Certificate-Policy Attribute The msPKI-Certificate-Policy attribute specifies each string that represents a policy OID to be added to the certificate policy extension, as specified in [RFC3280] section 4.2.1.5.<25> For schema details of this attribute, see [MS-ADA2] section 2.592.
5.2 msPKI-Certificate-Application-Policy Attribute Each string in the msPKI-Certificate-Application-Policy attribute represents an application policy OID to be added to the certificate application policy extension.<26> Application policy OIDs are the same as extended key usage OIDs, as specified in [RFC3280] section 4.2.1.13. For schema details of this attribute, see [MS-ADA2] section 2.590.
5.3 msPKI-Enrollment-Flag Attribute The msPKI-Enrollment-Flag attribute specifies the enrollment flags. The attribute value can be 0, or it can consist of a bitwise OR of flags from the following table.<27> Flag Meaning
0x00000001 This flag instructs the CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS client and server to include a Secure/Multipurpos e Internet Mail Extensions (S/MIME) certificate extension, as specified in [RFC4262], in the request and in the issued certificate.
0x00000002 This flag instructs the CT_FLAG_PEND_ALL_REQUESTS CA to put all requests in a pending state.
0x00000004 This flag instructs the CT_FLAG_PUBLISH_TO_KRA_CONTAINER CA to publish the issued certificate to the key recovery agent (KRA) container in Active Directory, as specified in [MS- ADTS].
0x00000008 This flag instructs CA CT_FLAG_PUBLISH_TO_DS servers to append the issued certificate to the userCertificate
23 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Flag Meaning
attribute, as specified in [RFC4523], on the user object in Active Directory. The server processing rules for this flag are specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6.
0x00000010 This flag instructs CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE clients not to do autoenrollment for a certificate based on this template if the user's userCertificate attribute (specified in [RFC4523]) in Active Directory has a valid certificate based on the same template.
0x00000020 This flag instructs CT_FLAG_AUTO_ENROLLMENT clients to perform autoenrollment for the specified template.
0x00000040 This flag instructs CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT clients to sign the renewal request using the private key of the existing certificate. For more information, see [MS-WCCE] section 3.2.2.6.2.1.4.5.6.This flag also instructs the CA to process the renewal requests as specified in [MS- WCCE] section 3.2.2.6.2.1.4.5.6.
0x00000100 This flag instructs the CT_FLAG_USER_INTERACTION_REQUIRED client to obtain user consent before attempting to enroll for a certificate that is based on the specified template.
0x00000400 This flag instructs the CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE autoenrollment client to delete any certificates that are no longer needed based on the specific template from the local certificate storage. For information about autoenrollment and the local certificate storage, see [MS- CERSOD] section 2.1.2.2.2.
0x00000800 This flag instructs the CT_FLAG_ALLOW_ENROLL_ON_BEHALF_OF server to allow enroll on behalf of (EOBO)
24 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Flag Meaning
functionality.
0x00001000 This flag instructs the CT_FLAG_ADD_OCSP_NOCHECK server to not include revocation information and add the id-pkix-ocsp- nocheck extension, as specified in [RFC2560] section 4.2.2.2.1, to the certificate that is issued.<28>
0x00002000 This flag instructs the CT_FLAG_ENABLE_KEY_REUSE_ON_NT_TOKEN_KEYSET_STORAGE_FULL client to reuse the private key for a smart card–based certificate renewal if it is unable to create a new private key on the card.<29>
0x00004000 This flag instructs the CT_FLAG_NOREVOCATIONINFOINISSUEDCERTS server to not include revocation information in the issued certificate.<30>
0x00008000 This flag instructs the CT_FLAG_INCLUDE_BASIC_CONSTRAINTS_FOR_EE_CERTS server to include Basic Constraints extension (specified in [RFC3280] section 4.2.1.10) in the end entity certificates.<31>
0x00010000 This flag instructs the CT_FLAG_ALLOW_PREVIOUS_APPROVAL_KEYBASEDRENEWAL_VALIDATE_REENROLLME CA to ignore the NT requirement for Enroll permissions on the template when processing renewal requests as specified in [MS-WCCE] section 3.2.2.6.2.1.4.5.6.<32 >
0x00020000 This flag indicates that CT_FLAG_ISSUANCE_POLICIES_FROM_REQUEST the certificate issuance policies to be included in the issued certificate come from the request rather than from the template. The template contains a list of all of the issuance policies that the request is allowed to specify; if the request contains policies that are not listed in the template, then the request is rejected. For the processing rules of this flag, see [MS-WCCE]
25 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Flag Meaning
section 3.2.2.6.2.1.4.5.8.<33 > For schema details of this attribute, see [MS-ADA2] section 2.594.
5.4 msPKI-Private-Key-Flag Attribute The msPKI-Private-Key-Flag attribute specifies the private key flags. Its value can be 0 or can consist of a bitwise OR of flags from the following table.<34> Flag Meaning
0x00000001 This flag instructs the client to create a key CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL archival certificate request, as specified in [MS- WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7.
0x00000010 This flag instructs the client to allow other CT_FLAG_EXPORTABLE_KEY applications to copy the private key to a .pfx file, as specified in [PKCS12], at a later time.
0x00000020 This flag instructs the client to use additional CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED protection for the private key.
0x00000040 This flag instructs the client to use an alternate CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM signature format. For more details, see [MS-WCCE] section 3.1.2.4.2.2.2.8.
0x00000080 This flag instructs the client to use the same key CT_FLAG_REQUIRE_SAME_KEY_RENEWAL when renewing the certificate.<35>
0x00000100 This flag instructs the client to process the msPKI- CT_FLAG_USE_LEGACY_PROVIDER RA-Application-Policies attribute as specified in section 2.23.1.<36>
0x00000000 * This flag indicates that attestation data is not CT_FLAG_ATTEST_NONE required when creating the certificate request. It also instructs the server to not add any attestation OIDs to the issued certificate. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.
0x00002000 * This flag informs the client that attestation data is CT_FLAG_ATTEST_REQUIRED required when creating the certificate request. It also instructs the server that attestation must be completed before any certificates can be issued. For more details, see [MS-WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7.
0x00001000 * This flag informs the client that it SHOULD include CT_FLAG_ATTEST_PREFERRED attestation data if it is capable of doing so when creating the certificate request. It also instructs the server that attestation might or might not be completed before any certificates can be issued. For more details, see [MS-WCCE] sections 3.1.2.4.2.2.2.8 and 3.2.2.6.2.1.4.5.7.
0x00004000 * This flag instructs the server to not add any CT_FLAG_ATTESTATION_WITHOUT_POLICY certificate policy OIDs to the issued certificate even though attestation SHOULD be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.
0x00000200 * This flag indicates that attestation based on the CT_FLAG_EK_TRUST_ON_USE user's credentials is to be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7.
0x00000400 * This flag indicates that attestation based on the CT_FLAG_EK_VALIDATE_CERT hardware certificate of the Trusted Platform Module (TPM) is to be performed. For more details, see [MS-
26 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Flag Meaning
WCCE] section 3.2.2.6.2.1.4.5.7.
0x00000800 * This flag indicates that attestation based on the CT_FLAG_EK_VALIDATE_KEY hardware key of the TPM is to be performed. For more details, see [MS-WCCE] section 3.2.2.6.2.1.4.5.7. * Support for these flags is specified in the following behavior note.<37> § The bitwise AND of the value of the msPKI-Private-Key-Flag attribute and 0x000F0000 determines whether the current CA can issue a certificate based on this template, as explained in [MS-WCCE] section 3.2.2.6.2.1.4.5.7. § The bitwise AND of the value of the msPKI-Private-Key-Flag attribute and 0x0F000000 determines whether the current template is supported by the client, as explained in [MS-WCCE] section 3.1.2.4.2.2.2.8. For schema details of this attribute, see [MS-ADA2] section 2.601.
5.5 msPKI-Certificate-Name-Flag Attribute The msPKI-Certificate-Name-Flag attribute specifies the subject name flags. Its value can be 0, or it can consist of a bitwise OR of flags from the following table.<38> The processing rules for these flags are specified in [MS-WCCE] sections 3.1.2.4.2.2.2.10 and 3.2.2.6.2.1.4.5.9. Flag Client processing
0x00000001 This flag instructs the client to supply subject CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT information in the certificate request.
0x00010000 This flag instructs the client to supply subject CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME alternate name information in the certificate request.
0x00400000 This flag instructs the CA to add the value of the CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS requester's FQDN and NetBIOS name to the Subject Alternative Name extension of the issued certificate.
0x01000000 This flag instructs the CA to add the value of the CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID objectGUID attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x02000000 This flag instructs the CA to add the value of the CT_FLAG_SUBJECT_ALT_REQUIRE_UPN UPN attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x04000000 This flag instructs the CA to add the value of the CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL email attribute from the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x08000000 This flag instructs the CA to add the value obtained CT_FLAG_SUBJECT_ALT_REQUIRE_DNS from the DNS attribute of the requestor's user object in Active Directory to the Subject Alternative Name extension of the issued certificate.
0x10000000 This flag instructs the CA to add the value obtained CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN from the DNS attribute of the requestor's user object in Active Directory as the CN in the subject of the issued certificate.
27 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 Flag Client processing
0x20000000 This flag instructs the CA to add the value of the CT_FLAG_SUBJECT_REQUIRE_EMAIL email attribute from the requestor's user object in Active Directory as the subject of the issued certificate.
0x40000000 This flag instructs the CA to set the subject name CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME to the requestor's CN from Active Directory, as specified in [MS-ADTS] section 3.1.1.1.7.
0x80000000 This flag instructs the CA to set the subject name CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH to the requestor's distinguished name (DN) from Active Directory, as specified in [MS-ADTS] section 3.1.1.1.4.
0x00000008 This flag instructs the client to reuse values of CT_FLAG_OLD_CERT_SUPPLIES_SUBJECT_AND_ALT_NAME subject name and alternative subject name extensions from an existing valid certificate when creating a certificate renewal request.<39> For schema details of this attribute, see [MS-ADA2] section 2.591.
28 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 6 Structure Example The example in this section is a result of executing the following command on any computer that runs applicable Windows Server releases.
7 certutil -v -dstemplate administrator
The command reads attributes of the "administrator" certificate template.
8
9 [Administrator]
10 objectClass = "top", "pKICertificateTemplate"
11 cn = "Administrator"
12 distinguishedName =
13 "CN=Administrator,CN=Certificate Templates,
14 CN=Public Key Services,CN=Services,
15 CN=Configuration,DC=contoso, DC=com"
16 instanceType = "4"*
17 whenCreated = "19990212152445.0Z" 2/12/1999 7:24 AM*
18 whenChanged = "20060908182747.0Z" 9/8/2006 10:27 AM*
19 displayName = "Administrator"
20 uSNCreated = "8221" 0x201d*
21 uSNChanged = "8221" 0x201d*
22 showInAdvancedViewOnly = "TRUE"*
23 name = "Administrator"
24 objectGUID = "0dbfa8b3-c28f-11d2-91e6-08002ba3ed3b"*
25 flags = "66106" 0x1023a**
26
27 (CT_FLAG_MACHINE_TYPE -- 40 (64))
28 (CT_FLAG_IS_CA -- 80 (128))
29 (CT_FLAG_IS_CROSS_CA -- 800 (2048))
30 CT_FLAG_IS_DEFAULT -- 10000 (65536)
31 (CT_FLAG_IS_MODIFIED -- 20000 (131072))
32
29 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 33 revision = "4"
34 *objectCategory =
35 "CN=PKI-Certificate-Template,CN=Schema,
36 CN=Configuration,DC=contoso,DC=com"
37 pKIDefaultKeySpec = "1"
38 pKIKeyUsage = "a0 00"
39 pKIMaxIssuingDepth = "0"
40 pKIExpirationPeriod = "1 Years"
41 pKIOverlapPeriod = "6 Weeks"
42 pKIExtendedKeyUsage =
43 "1.3.6.1.4.1.311.10.3.1" Microsoft Trust List Signing,
44 "1.3.6.1.4.1.311.10.3.4" Encrypting File System,
45 "1.3.6.1.5.5.7.3.4" Secure Email, "1.3.6.1.5.5.7.3.2"
46 Client Authentication
47 pKIDefaultCSPs =
48 "2,Microsoft Base Cryptographic Provider v1.0",
49 "1,Microsoft Enhanced Cryptographic Provider v1.0"
50 dSCorePropagationData =
51 "16010101000000.0Z" EMPTY*
52 msPKI-RA-Signature = "0"
53 msPKI-Enrollment-Flag = "41" 0x29**
54
55 CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS -- 1
56 (CT_FLAG_PEND_ALL_REQUESTS -- 2)
57 (CT_FLAG_PUBLISH_TO_KRA_CONTAINER -- 4)
58 CT_FLAG_PUBLISH_TO_DS -- 8
59 (CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE -- 10 (16))
60 CT_FLAG_AUTO_ENROLLMENT -- 20 (32)
61 (CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT -- 40 (64))
62 (CT_FLAG_USER_INTERACTION_REQUIRED -- 100 (256))
30 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 63 (CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE
64 -- 400 (1024))
65 (CT_FLAG_ALLOW_ENROLL_ON_BEHALF_OF -- 800 (2048))
66 msPKI-Private-Key-Flag = "16" 0x10**
67
68 (CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL -- 1)
69 CT_FLAG_EXPORTABLE_KEY -- 10 (16)
70 (CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED -- 20 (32))
71 msPKI-Certificate-Name-Flag = "-1509949440" 0xa6000000**
72
73 (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 1)
74 (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
75 -- 10000 (65536))
76 (CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS
77 -- 400000 (4194304))
78 (CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID
79 -- 1000000 (16777216))
80 CT_FLAG_SUBJECT_ALT_REQUIRE_UPN
81 -- 2000000 (33554432)
82 CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL
83 -- 4000000 (67108864)
84 (CT_FLAG_SUBJECT_ALT_REQUIRE_DNS
85 -- 8000000 (134217728))
86 (CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN
87 -- 10000000 (268435456))
88 CT_FLAG_SUBJECT_REQUIRE_EMAIL
89 -- 20000000 (536870912)
90 (CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME
91 -- 40000000 (1073741824))
92 CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
31 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 93 -- 80000000 (-2147483648)
94
*Not used by the Windows Client Certificate Enrollment Protocol. **The flags in parentheses are optional values for the attributes that are not present in the current template. Some of the possible flags for the attribute have been removed because they are not used by the Windows Client Certificate Enrollment Protocol. <40> <41>
32 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 95 Security Considerations
95.1 Policy Certificate templates, including their access control lists (ACLs), express policy by which the enterprise certificate authority (enterprise CA) policy algorithm controls which certificates to issue to end entities in an organization. It is the job of the administrator to translate corporate policy into certificate template contents and ACLs.
95.2 Access Control The ACL of a certificate template can grant one permission that the default certificate server policy algorithm consults: the enrollment permissions. If an entity has the enrollment permission for a certificate type and requests that certificate, the enterprise certificate authority (enterprise CA) policy algorithm causes the certificate server to issue that kind of certificate to that entity. One kind of certificate that can be issued is the Enrollment Agent certificate, which is a particularly powerful certificate. Because an Enrollment Agent is allowed to specify certificates to be issued to any subject, it can bypass corporate security policy. As a result, administrators need to be especially careful when allowing subjects to enroll for Enrollment Agent certificates.
95.3 Auditing It might be appropriate to use auditing mechanisms provided by the directory storing certificate templates objects in order to monitor important types of access like writing to the certificate templates.
33 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 96 Appendix A: Product Behavior The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products. The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section. Windows Client Releases § Windows 2000 Professional operating system § Windows XP operating system § Windows Vista operating system § Windows 7 operating system § Windows 8 operating system § Windows 8.1 operating system § Windows 10 operating system Windows Server Releases § Windows 2000 Server operating system § Windows Server 2003 operating system § Windows Server 2008 operating system § Windows Server 2008 R2 operating system § Windows Server 2012 operating system § Windows Server 2012 R2 operating system § Windows Server 2016 operating system § Windows Server operating system Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition. Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription. <1> Section 1.6: Windows defines four template versions: version 1, version 2, version 3, and version 4. Version 1 templates are supported by CAs that run on Windows 2000 Server and later. Version 2 templates are supported by Microsoft CAs that run on Windows Server 2003 Enterprise Edition operating system, Windows Server 2003 R2 Datacenter Edition operating system, and Windows Server 2008 and later. Version 3 templates are supported by CAs that run on Windows Server 2008 and later. Version 4 templates are supported by CAs that run on Windows Server 2012 and later.
34 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 <2> Section 2.1: The cn attribute is implemented in Windows 2000 Server and later. <3> Section 2.2: The displayName attribute is implemented in Windows 2000 Server and later. <4> Section 2.3: The distinguishedName attribute is implemented in Windows 2000 Server and later. <5> Section 2.4: The flags attribute is implemented in Windows 2000 Server and later. <6> Section 2.4: This flag is supported in applicable Windows Server releases, with exception of Windows 2000 Server, Windows Server 2003, Windows Server 2003 R2 operating system, and Windows Server 2008. <7> Section 2.5: The ntSecurityDescriptor attribute is implemented in Windows 2000 Server and later. <8> Section 2.6: The revision attribute is implemented in Windows 2000 Server and later. <9> Section 2.7: The pKICriticalExtensions attribute is implemented in Windows 2000 Server and later. <10> Section 2.8: The pKIDefaultCSPs attribute is implemented in Windows 2000 Server and later. <11> Section 2.9: The pKIDefaultKeySpec attribute is implemented in Windows 2000 Server and later. For more information about the Microsoft implementation of key types, see [MSDN-KEY]. <12> Section 2.10: The pKIEnrollmentAccess attribute is implemented in Windows 2000 Server and later. <13> Section 2.11: The pKIExpirationPeriod attribute is implemented in Windows 2000 Server and later. <14> Section 2.12: The pKIExtendedKeyUsage attribute is implemented in Windows 2000 Server and later. <15> Section 2.13: The pKIKeyUsage attribute is implemented in Windows 2000 Server and later. <16> Section 2.14: The pKIMaxIssuingDepth attribute is implemented in Windows 2000 Server and later. <17> Section 2.16: The msPKI-Template-Schema-Version attribute is implemented in applicable Windows Server releases, with the exception of Windows 2000 Server. <18> Section 2.17: The msPKI-Template-Minor-Revision attribute is implemented in Windows Server 2003 and later. <19> Section 2.18: The msPKI-RA-Signature attribute is implemented in Windows Server 2003 and later. <20> Section 2.19: The msPKI-Minimal-Key-Size attribute is implemented in Windows Server 2003 and later. <21> Section 2.20: The msPKI-Cert-Template-OID attribute is implemented in Windows Server 2003 and later. <22> Section 2.21: The msPKI-Supersede-Templates attribute is implemented in Windows Server 2003 and later.
35 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 <23> Section 2.22: The msPKI-RA-Policies attribute is implemented in Windows Server 2003 and later. <24> Section 2.23: The msPKI-RA-Application-Policies attribute is implemented in Windows Server 2003 and later. <25> Section 2.24: The msPKI-Certificate-Policy attribute is implemented in Windows Server 2003 and later. <26> Section 2.25: The msPKI-Certificate-Application-Policy attribute is implemented in Windows Server 2003 and later. <27> Section 2.26: The msPKI-Enrollment-Flag attribute is implemented in Windows Server 2003 and later. <28> Section 2.26: This flag is supported in applicable Windows Server releases, with the exception of Windows 2000 Server, Windows Server 2003, and Windows Server 2003 R2. <29> Section 2.26: This flag is supported in Windows Vista and later clients and in Windows Server 2008 and later servers. <30> Section 2.26: This flag is supported in Windows Server 2008 R2 and later. <31> Section 2.26: This flag is supported in Windows Server 2008 R2 and later. <32> Section 2.26: This flag is supported in Windows Server 2012 and later. <33> Section 2.26: This flag is supported in Windows Server 2012 and later. <34> Section 2.27: The msPKI-Private-Key-Flag attribute is implemented in Windows Server 2003 and later. <35> Section 2.27: This flag is supported in Windows Server 2012 and later. <36> Section 2.27: This flag is supported in Windows Server 2012 and later. <37> Section 2.27: These flags are supported only in Windows Server 2012 R2 and later. <38> Section 2.28: The msPKI-Certificate-Name-Flag attribute is implemented in Windows Server 2003 and later. <39> Section 2.28: This flag is supported in Windows Server 2008 R2 and later. <40> Section 3: The following is the list of the default certificate templates and their attribute values that are installed to Active Directory by Windows Server 2003 and Windows XP.
97
98 cn: Administrator;
99 displayName: Administrator;
100 flags: 66106;
101 msPKI-Certificate-Name-Flag: -1509949440;
102 msPKI-Enrollment-Flag: 41;
103 msPKI-Minimal-Key-Size: 1024;
36 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 104 msPKI-Private-Key-Flag: 16;
105 msPKI-RA-Signature: 0;
106 msPKI-Template-Minor-Revision: 1;
107 msPKI-Template-Schema-Version: 1;
108 name: Administrator;
109 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0;
110 1,Microsoft Enhanced Cryptographic Provider v1.0;
111 pKIDefaultKeySpec: 1;
112 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
113 pKIExtendedKeyUsage (4): 1.3.6.1.4.1.311.10.3.1;
114 1.3.6.1.4.1.311.10.3.4; 1.3.6.1.5.5.7.3.4; 1.3.6.1.5.5.7.3.2;
115 pKIKeyUsage: 0xA0 0x00
116 pKIMaxIssuingDepth: 0;
117 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
118 revision: 4;
119
120 cn: CA;
121 displayName: Root Certification Authority;
122 flags: 65745;
123 msPKI-Certificate-Name-Flag: 1;
124 msPKI-Enrollment-Flag: 0;
125 msPKI-Minimal-Key-Size: 1024;
126 msPKI-Private-Key-Flag: 16;
127 msPKI-RA-Signature: 0;
128 msPKI-Template-Minor-Revision: 1;
129 msPKI-Template-Schema-Version: 1;
130 name: CA;
131 pKICriticalExtensions: 2.5.29.19;
132 pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0;
133 pKIDefaultKeySpec: 2;
134 pKIExpirationPeriod: 0x00 0x40 0x1E 0xA4 0xE8 0x65 0xFA 0xFF
37 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 135 pKIKeyUsage: 0x86 0x00
136 pKIMaxIssuingDepth: -1;
137 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
138 revision: 5;
139
140 cn: CAExchange;
141 displayName: CA Exchange;
142 flags: 65600;
143 msPKI-Certificate-Application-Policy: 1.3.6.1.4.1.311.21.5;
144 msPKI-Certificate-Name-Flag: 1;
145 msPKI-Enrollment-Flag: 1;
146 msPKI-Minimal-Key-Size: 1024;
147 msPKI-Private-Key-Flag: 0;
148 msPKI-RA-Signature: 0;
149 msPKI-Template-Minor-Revision: 0;
150 msPKI-Template-Schema-Version: 2;
151 name: CAExchange;
152 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0;
153 1,Microsoft Enhanced Cryptographic Provider v1.0;
154 pKIDefaultKeySpec: 1;
155 pKIExpirationPeriod: 0x00 0xC0 0x1B 0xD7 0x7F 0xFA 0xFF 0xFF
156 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.21.5;
157 pKIKeyUsage: 0x20 0x00
158 pKIMaxIssuingDepth: 0;
159 pKIOverlapPeriod: 0x00 0xC0 0x1B 0xD7 0x7F 0xFA 0xFF 0xFF
160 revision: 106;
161
162 cn: CEPEncryption;
163 displayName: CEP Encryption;
164 flags: 66113;
165 msPKI-Certificate-Name-Flag: 1;
38 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 166 msPKI-Enrollment-Flag: 0;
167 msPKI-Minimal-Key-Size: 1024;
168 msPKI-Private-Key-Flag: 0;
169 msPKI-RA-Signature: 0;
170 msPKI-Template-Minor-Revision: 1;
171 msPKI-Template-Schema-Version: 1;
172 name: CEPEncryption;
173 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
174 pKIDefaultKeySpec: 1;
175 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
176 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
177 pKIKeyUsage: 0x20 0x00
178 pKIMaxIssuingDepth: 0;
179 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
180 revision: 4;
181
182 cn: CertificateRequestAgent;
183 displayName: Certificate Request Agent;
184 flags: 131616;
185 msPKI-Certificate-Application-Policy: 1.3.6.1.4.1.311.20.2.1;
186 msPKI-Certificate-Name-Flag: -2113929216;
187 msPKI-Enrollment-Flag: 96;
188 msPKI-Minimal-Key-Size: 1024;
189 msPKI-Private-Key-Flag: 0;
190 msPKI-RA-Application-Policies: 1.3.6.1.4.1.311.20.2.1;
191 msPKI-RA-Signature: 1;
192 msPKI-Template-Minor-Revision: 4;
193 msPKI-Template-Schema-Version: 2;
194 name: CertificateRequestAgent;
195 pKIDefaultCSPs: 1,Microsoft Base Smart Card Crypto Provider;
196 pKIDefaultKeySpec: 2;
39 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 197 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
198 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
199 pKIKeyUsage: 0x80 0x00
200 pKIMaxIssuingDepth: 0;
201 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
202 revision: 100;
203
204 cn: ClientAuth;
205 displayName: Authenticated Session;
206 flags: 197152;
207 msPKI-Certificate-Name-Flag: -2113929216;
208 msPKI-Enrollment-Flag: 32;
209 msPKI-Minimal-Key-Size: 1024;
210 msPKI-Private-Key-Flag: 0;
211 msPKI-RA-Signature: 0;
212 msPKI-Template-Minor-Revision: 1;
213 msPKI-Template-Schema-Version: 1;
214 name: ClientAuth;
215 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider;
216 2,Microsoft Base Cryptographic Provider v1.0;
217 1,Microsoft Enhanced Cryptographic Provider v1.0;
218 pKIDefaultKeySpec: 2;
219 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
220 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2;
221 pKIKeyUsage: 0x80 0x00
222 pKIMaxIssuingDepth: 0;
223 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
224 revision: 3;
225
226 cn: CodeSigning;
227 displayName: Code Signing;
40 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 228 flags: 66080;
229 msPKI-Certificate-Name-Flag: -2113929216;
230 msPKI-Enrollment-Flag: 32;
231 msPKI-Minimal-Key-Size: 1024;
232 msPKI-Private-Key-Flag: 0;
233 msPKI-RA-Signature: 0;
234 msPKI-Template-Minor-Revision: 1;
235 msPKI-Template-Schema-Version: 1;
236 name: CodeSigning;
237 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider;
238 2,Microsoft Base Cryptographic Provider v1.0;
239 1,Microsoft Enhanced Cryptographic Provider v1.0;
240 pKIDefaultKeySpec: 2;
241 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
242 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.3;
243 pKIKeyUsage: 0x80 0x00
244 pKIMaxIssuingDepth: 0;
245 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
246 revision: 3;
247
248 cn: CrossCA;
249 displayName: Cross Certification Authority;
250 flags: 198672;
251 msPKI-Certificate-Name-Flag: 1;
252 msPKI-Enrollment-Flag: 0;
253 msPKI-Minimal-Key-Size: 512;
254 msPKI-Private-Key-Flag: 16;
255 msPKI-RA-Application-Policies: 1.3.6.1.4.1.311.10.3.10;
256 msPKI-RA-Signature: 1;
257 msPKI-Template-Minor-Revision: 0;
258 msPKI-Template-Schema-Version: 2;
41 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 259 name: CrossCA;
260 pKICriticalExtensions: 2.5.29.19;
261 pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0;
262 pKIDefaultKeySpec: 2;
263 pKIExpirationPeriod: 0x00 0x40 0x1E 0xA4 0xE8 0x65 0xFA 0xFF
264 pKIKeyUsage: 0x86 0x00
265 pKIMaxIssuingDepth: -1;
266 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
267 revision: 110;
268
269 cn: CTLSigning;
270 displayName: Trust List Signing;
271 flags: 66080;
272 msPKI-Certificate-Name-Flag: -2113929216;
273 msPKI-Enrollment-Flag: 32;
274 msPKI-Minimal-Key-Size: 1024;
275 msPKI-Private-Key-Flag: 0;
276 msPKI-RA-Signature: 0;
277 msPKI-Template-Minor-Revision: 1;
278 msPKI-Template-Schema-Version: 1;
279 name: CTLSigning;
280 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider;
281 2,Microsoft Base Cryptographic Provider v1.0;
282 1,Microsoft Enhanced Cryptographic Provider v1.0;
283 pKIDefaultKeySpec: 2;
284 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
285 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.10.3.1;
286 pKIKeyUsage: 0x80 0x00
287 pKIMaxIssuingDepth: 0;
288 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
289 revision: 3;
42 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 290
291 cn: DirectoryEmailReplication;
292 displayName: Directory Email Replication;
293 flags: 196704;
294 msPKI-Certificate-Application-Policy: 1.3.6.1.4.1.311.21.19;
295 msPKI-Certificate-Name-Flag: 150994944;
296 msPKI-Enrollment-Flag: 41;
297 msPKI-Minimal-Key-Size: 1024;
298 msPKI-Private-Key-Flag: 0;
299 msPKI-RA-Signature: 0;
300 msPKI-Supersede-Templates: DomainController;
301 msPKI-Template-Minor-Revision: 0;
302 msPKI-Template-Schema-Version: 2;
303 name: DirectoryEmailReplication;
304 pKICriticalExtensions: 2.5.29.17;
305 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
306 pKIDefaultKeySpec: 1;
307 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
308 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.21.19;
309 pKIKeyUsage: 0xa0 0x00
310 pKIMaxIssuingDepth: 0;
311 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
312 revision: 122;
313
314 cn: DomainController;
315 displayName: Domain Controller;
316 flags: 197228;
317 msPKI-Certificate-Name-Flag: 419430400;
318 msPKI-Enrollment-Flag: 41;
319 msPKI-Minimal-Key-Size: 1024;
320 msPKI-Private-Key-Flag: 0;
43 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 321 msPKI-RA-Signature: 0;
322 msPKI-Template-Minor-Revision: 1;
323 msPKI-Template-Schema-Version: 1;
324 name: DomainController;
325 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
326 pKIDefaultKeySpec: 1;
327 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
328 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
329 pKIKeyUsage: 0xa0 0x00
330 pKIMaxIssuingDepth: 0;
331 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
332 revision: 4;
333
334 cn: DomainControllerAuthentication;
335 displayName: Domain Controller Authentication;
336 flags: 196704;
337 msPKI-Certificate-Application-Policy (3): 1.3.6.1.5.5.7.3.2;
338 1.3.6.1.5.5.7.3.1; 1.3.6.1.4.1.311.20.2.2;
339 msPKI-Certificate-Name-Flag: 134217728;
340 msPKI-Enrollment-Flag: 32;
341 msPKI-Minimal-Key-Size: 1024;
342 msPKI-Private-Key-Flag: 0;
343 msPKI-RA-Signature: 0;
344 msPKI-Supersede-Templates: DomainController;
345 msPKI-Template-Minor-Revision: 0;
346 msPKI-Template-Schema-Version: 2;
347 name: DomainControllerAuthentication;
348 pKICriticalExtensions: 2.5.29.17;
349 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
350 pKIDefaultKeySpec: 1;
351 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
44 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 352 pKIExtendedKeyUsage (3): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
353 1.3.6.1.4.1.311.20.2.2;
354 pKIKeyUsage: 0xa0 0x00
355 pKIMaxIssuingDepth: 0;
356 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
357 revision: 119;
358
359 cn: EFS;
360 displayName: Basic EFS;
361 flags: 197176;
362 msPKI-Certificate-Name-Flag: -2113929216;
363 msPKI-Enrollment-Flag: 41;
364 msPKI-Minimal-Key-Size: 1024;
365 msPKI-Private-Key-Flag: 16;
366 msPKI-RA-Signature: 0;
367 msPKI-Template-Minor-Revision: 1;
368 msPKI-Template-Schema-Version: 1;
369 name: EFS;
370 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0;
371 1,Microsoft Enhanced Cryptographic Provider v1.0;
372 pKIDefaultKeySpec: 1;
373 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
374 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.10.3.4;
375 pKIKeyUsage: 0x20 0x00
376 pKIMaxIssuingDepth: 0;
377 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
378 revision: 3;
379
380 cn: EFSRecovery;
381 displayName: EFS Recovery Agent;
382 flags: 66096;
45 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 383 msPKI-Certificate-Name-Flag: -2113929216;
384 msPKI-Enrollment-Flag: 33;
385 msPKI-Minimal-Key-Size: 1024;
386 msPKI-Private-Key-Flag: 16;
387 msPKI-RA-Signature: 0;
388 msPKI-Template-Minor-Revision: 1;
389 msPKI-Template-Schema-Version: 1;
390 name: EFSRecovery;
391 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0;
392 1,Microsoft Enhanced Cryptographic Provider v1.0;
393 pKIDefaultKeySpec: 1;
394 pKIExpirationPeriod: 0x00 0x40 0x1E 0xA4 0xE8 0x65 0xFA 0xFF
395 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.10.3.4.1;
396 pKIKeyUsage: 0x20 0x00
397 pKIMaxIssuingDepth: 0;
398 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
399 revision: 6;
400
401 cn: EnrollmentAgent;
402 displayName: Enrollment Agent;
403 flags: 197152;
404 msPKI-Certificate-Name-Flag: -2113929216;
405 msPKI-Enrollment-Flag: 32;
406 msPKI-Minimal-Key-Size: 1024;
407 msPKI-Private-Key-Flag: 0;
408 msPKI-RA-Signature: 0;
409 msPKI-Template-Minor-Revision: 1;
410 msPKI-Template-Schema-Version: 1;
411 name: EnrollmentAgent;
412 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider;
413 2,Microsoft Base Cryptographic Provider v1.0;
46 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 414 1,Microsoft Enhanced Cryptographic Provider v1.0;
415 pKIDefaultKeySpec: 2;
416 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
417 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
418 pKIKeyUsage: 0x80 0x00
419 pKIMaxIssuingDepth: 0;
420 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
421 revision: 4;
422
423 cn: EnrollmentAgentOffline;
424 displayName: Exchange Enrollment Agent (Offline request);
425 flags: 66049;
426 msPKI-Certificate-Name-Flag: 1;
427 msPKI-Enrollment-Flag: 0;
428 msPKI-Minimal-Key-Size: 1024;
429 msPKI-Private-Key-Flag: 0;
430 msPKI-RA-Signature: 0;
431 msPKI-Template-Minor-Revision: 1;
432 msPKI-Template-Schema-Version: 1;
433 name: EnrollmentAgentOffline;
434 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider;
435 2,Microsoft Base Cryptographic Provider v1.0;
436 1,Microsoft Enhanced Cryptographic Provider v1.0;
437 pKIDefaultKeySpec: 2;
438 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
439 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
440 pKIKeyUsage: 0x80 0x00
441 pKIMaxIssuingDepth: 0;
442 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
443 revision: 4;
47 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 444
445 cn: ExchangeUser;
446 displayName: Exchange User;
447 flags: 66065;
448 msPKI-Certificate-Name-Flag: 1;
449 msPKI-Enrollment-Flag: 1;
450 msPKI-Minimal-Key-Size: 1024;
451 msPKI-Private-Key-Flag: 16;
452 msPKI-RA-Signature: 0;
453 msPKI-Template-Minor-Revision: 1;
454 msPKI-Template-Schema-Version: 1;
455 name: ExchangeUser;
456 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0;
457 1,Microsoft Enhanced Cryptographic Provider v1.0;
458 pKIDefaultKeySpec: 1;
459 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
460 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.4;
461 pKIKeyUsage: 0x20 0x00
462 pKIMaxIssuingDepth: 0;
463 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
464 revision: 7;
465
466 cn: ExchangeUserSignature;
467 displayName: Exchange Signature Only;
468 flags: 66049;
469 msPKI-Certificate-Name-Flag: 1;
470 msPKI-Enrollment-Flag: 0;
471 msPKI-Minimal-Key-Size: 1024;
472 msPKI-Private-Key-Flag: 0;
473 msPKI-RA-Signature: 0;
474 msPKI-Template-Minor-Revision: 1;
48 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 475 msPKI-Template-Schema-Version: 1;
476 name: ExchangeUserSignature;
477 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider;
478 2,Microsoft Base Cryptographic Provider v1.0;
479 1,Microsoft Enhanced Cryptographic Provider v1.0;
480 pKIDefaultKeySpec: 2;
481 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
482 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.4;
483 pKIKeyUsage: 0x80 0x00
484 pKIMaxIssuingDepth: 0;
485 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
486 revision: 6;
487
488 cn: IPSECIntermediateOffline;
489 displayName: IPSEC (Offline request);
490 flags: 197185;
491 msPKI-Certificate-Name-Flag: 1;
492 msPKI-Enrollment-Flag: 0;
493 msPKI-Minimal-Key-Size: 1024;
494 msPKI-Private-Key-Flag: 0;
495 msPKI-RA-Signature: 0;
496 msPKI-Template-Minor-Revision: 1;
497 msPKI-Template-Schema-Version: 1;
498 name: IPSECIntermediateOffline;
499 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
500 pKIDefaultKeySpec: 1;
501 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
502 pKIExtendedKeyUsage: 1.3.6.1.5.5.8.2.2;
503 pKIKeyUsage: 0xa0 0x00
504 pKIMaxIssuingDepth: 0;
505 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
49 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 506 revision: 7;
507
508 cn: IPSECIntermediateOnline;
509 displayName: IPSEC;
510 flags: 197216;
511 msPKI-Certificate-Name-Flag: 402653184;
512 msPKI-Enrollment-Flag: 32;
513 msPKI-Minimal-Key-Size: 1024;
514 msPKI-Private-Key-Flag: 0;
515 msPKI-RA-Signature: 0;
516 msPKI-Template-Minor-Revision: 1;
517 msPKI-Template-Schema-Version: 1;
518 name: IPSECIntermediateOnline;
519 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
520 pKIDefaultKeySpec: 1;
521 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
522 pKIExtendedKeyUsage: 1.3.6.1.5.5.8.2.2;
523 pKIKeyUsage: 0xa0 0x00
524 pKIMaxIssuingDepth: 0;
525 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
526 revision: 8;
527
528 cn: KeyRecoveryAgent;
529 displayName: Key Recovery Agent;
530 flags: 196640;
531 msPKI-Certificate-Application-Policy: 1.3.6.1.4.1.311.21.6;
532 msPKI-Certificate-Name-Flag: -2113929216;
533 msPKI-Enrollment-Flag: 39;
534 msPKI-Minimal-Key-Size: 2048;
535 msPKI-Private-Key-Flag: 16;
536 msPKI-RA-Application-Policies: 1.3.6.1.4.1.311.21.6;
50 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 537 msPKI-RA-Signature: 1;
538 msPKI-Template-Minor-Revision: 1;
539 msPKI-Template-Schema-Version: 2;
540 name: KeyRecoveryAgent;
541 pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0;
542 pKIDefaultKeySpec: 1;
543 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
544 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.21.6;
545 pKIKeyUsage: 0x20 0x00
546 pKIMaxIssuingDepth: 0;
547 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
548 revision: 105;
549
550 cn: Machine;
551 displayName: Computer;
552 flags: 197216;
553 msPKI-Certificate-Name-Flag: 402653184;
554 msPKI-Enrollment-Flag: 32;
555 msPKI-Minimal-Key-Size: 1024;
556 msPKI-Private-Key-Flag: 0;
557 msPKI-RA-Signature: 0;
558 msPKI-Template-Minor-Revision: 1;
559 msPKI-Template-Schema-Version: 1;
560 name: Machine;
561 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
562 pKIDefaultKeySpec: 1;
563 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
564 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
565 pKIKeyUsage: 0xa0 0x00
566 pKIMaxIssuingDepth: 0;
567 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
51 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 568 revision: 5;
569
570 cn: MachineEnrollmentAgent;
571 displayName: Enrollment Agent (Computer);
572 flags: 66144;
573 msPKI-Certificate-Name-Flag: 402653184;
574 msPKI-Enrollment-Flag: 32;
575 msPKI-Minimal-Key-Size: 1024;
576 msPKI-Private-Key-Flag: 0;
577 msPKI-RA-Signature: 0;
578 msPKI-Template-Minor-Revision: 1;
579 msPKI-Template-Schema-Version: 1;
580 name: MachineEnrollmentAgent;
581 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider;
582 2,Microsoft Base Cryptographic Provider v1.0;
583 1,Microsoft Enhanced Cryptographic Provider v1.0;
584 pKIDefaultKeySpec: 2;
585 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
586 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
587 pKIKeyUsage: 0x80 0x00
588 pKIMaxIssuingDepth: 0;
589 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
590 revision: 5;
591
592 cn: OfflineRouter;
593 displayName: Router (Offline request);
594 flags: 66113;
595 msPKI-Certificate-Name-Flag: 1;
596 msPKI-Enrollment-Flag: 0;
597 msPKI-Minimal-Key-Size: 1024;
598 msPKI-Private-Key-Flag: 0;
52 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 599 msPKI-RA-Signature: 0;
600 msPKI-Template-Minor-Revision: 1;
601 msPKI-Template-Schema-Version: 1;
602 name: OfflineRouter;
603 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
604 pKIDefaultKeySpec: 1;
605 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
606 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2;
607 pKIKeyUsage: 0xa0 0x00
608 pKIMaxIssuingDepth: 0;
609 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
610 revision: 4;
611
612
613 cn: RASAndIASServer;
614 displayName: RAS and IAS Server;
615 flags: 197216;
616 msPKI-Certificate-Application-Policy (2):
617 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
618 msPKI-Certificate-Name-Flag: 1207959552;
619 msPKI-Enrollment-Flag: 32;
620 msPKI-Minimal-Key-Size: 1024;
621 msPKI-Private-Key-Flag: 0;
622 msPKI-RA-Signature: 0;
623 msPKI-Supersede-Templates: NTDEVComputer;
624 msPKI-Template-Minor-Revision: 0;
625 msPKI-Template-Schema-Version: 2;
626 name: RASAndIASServer;
627 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
628 pKIDefaultKeySpec: 1;
629 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
53 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 630 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
631 pKIKeyUsage: 0xa0 0x00
632 pKIMaxIssuingDepth: 0;
633 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
634 revision: 104;
635
636 cn: SmartcardLogon;
637 displayName: Smartcard Logon;
638 flags: 197120;
639 msPKI-Certificate-Name-Flag: -2113929216;
640 msPKI-Enrollment-Flag: 0;
641 msPKI-Minimal-Key-Size: 512;
642 msPKI-Private-Key-Flag: 0;
643 msPKI-RA-Signature: 0;
644 msPKI-Template-Minor-Revision: 1;
645 msPKI-Template-Schema-Version: 1;
646 name: SmartcardLogon;
647 pKIDefaultKeySpec: 1;
648 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
649 pKIExtendedKeyUsage (2):
650 1.3.6.1.4.1.311.20.2.2; 1.3.6.1.5.5.7.3.2;
651 pKIKeyUsage: 0xa0 0x00
652 pKIMaxIssuingDepth: 0;
653 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
654 revision: 6;
655
656 cn: SmartcardUser;
657 displayName: Smartcard User;
658 flags: 197130;
659 msPKI-Certificate-Name-Flag: -1509949440;
660 msPKI-Enrollment-Flag: 9;
54 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 661 msPKI-Minimal-Key-Size: 512;
662 msPKI-Private-Key-Flag: 0;
663 msPKI-RA-Signature: 0;
664 msPKI-Template-Minor-Revision: 1;
665 msPKI-Template-Schema-Version: 1;
666 name: SmartcardUser;
667 pKIDefaultKeySpec: 1;
668 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
669 pKIExtendedKeyUsage (3):
670 1.3.6.1.4.1.311.20.2.2; 1.3.6.1.5.5.7.3.4; 1.3.6.1.5.5.7.3.2;
671 pKIKeyUsage: 0xa0 0x00
672 pKIMaxIssuingDepth: 0;
673 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
674 revision: 11;
675
676 cn: SubCA;
677 displayName: Subordinate Certification Authority;
678 flags: 197329;
679 msPKI-Certificate-Name-Flag: 1;
680 msPKI-Enrollment-Flag: 0;
681 msPKI-Minimal-Key-Size: 1024;
682 msPKI-Private-Key-Flag: 16;
683 msPKI-RA-Signature: 0;
684 msPKI-Template-Minor-Revision: 1;
685 msPKI-Template-Schema-Version: 1;
686 name: SubCA;
687 pKICriticalExtensions: 2.5.29.19;
688 pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0;
689 pKIDefaultKeySpec: 2;
690 pKIExpirationPeriod: 0x00 0x40 0x1E 0xA4 0xE8 0x65 0xFA 0xFF
691 pKIKeyUsage: 0x86 0x00
55 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 692 pKIMaxIssuingDepth: -1;
693 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
694 revision: 5;
695
696 cn: User;
697 displayName: User;
698 flags: 197178;
699 msPKI-Certificate-Name-Flag: -1509949440;
700 msPKI-Enrollment-Flag: 41;
701 msPKI-Minimal-Key-Size: 1024;
702 msPKI-Private-Key-Flag: 16;
703 msPKI-RA-Signature: 0;
704 msPKI-Template-Minor-Revision: 1;
705 msPKI-Template-Schema-Version: 1;
706 name: User;
707 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0;
708 1,Microsoft Enhanced Cryptographic Provider v1.0;
709 pKIDefaultKeySpec: 1;
710 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
711 pKIExtendedKeyUsage (3): 1.3.6.1.4.1.311.10.3.4; 1.3.6.1.5.5.7.3.4;
712 1.3.6.1.5.5.7.3.2;
713 pKIKeyUsage: 0xa0 0x00
714 pKIMaxIssuingDepth: 0;
715 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
716 revision: 3;
717
718 cn: UserSignature;
719 displayName: User Signature Only;
720 flags: 197154;
721 msPKI-Certificate-Name-Flag: -1509949440;
722 msPKI-Enrollment-Flag: 32;
56 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 723 msPKI-Minimal-Key-Size: 1024;
724 msPKI-Private-Key-Flag: 0;
725 msPKI-RA-Signature: 0;
726 msPKI-Template-Minor-Revision: 1;
727 msPKI-Template-Schema-Version: 1;
728 name: UserSignature;
729 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider;
730 2,Microsoft Base Cryptographic Provider v1.0;
731 1,Microsoft Enhanced Cryptographic Provider v1.0;
732 pKIDefaultKeySpec: 2;
733 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
734 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.4; 1.3.6.1.5.5.7.3.2;
735 pKIKeyUsage: 0x80 0x00
736 pKIMaxIssuingDepth: 0;
737 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
738 revision: 4;
739
740 cn: WebServer;
741 displayName: Web Server;
742 flags: 66113;
743 msPKI-Certificate-Name-Flag: 1;
744 msPKI-Enrollment-Flag: 0;
745 msPKI-Minimal-Key-Size: 1024;
746 msPKI-Private-Key-Flag: 0;
747 msPKI-RA-Signature: 0;
748 msPKI-Template-Minor-Revision: 1;
749 msPKI-Template-Schema-Version: 1;
750 name: WebServer;
751 pKIDefaultCSPs (2): 2,Microsoft DH SChannel Cryptographic Provider;
752 1,Microsoft RSA SChannel Cryptographic Provider;
753 pKIDefaultKeySpec: 1;
57 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 754 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF
755 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1;
756 pKIKeyUsage: 0xa0 0x00
757 pKIMaxIssuingDepth: 0;
758 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
759 revision: 4;
760
761 cn: Workstation;
762 displayName: Workstation Authentication;
763 flags: 197216;
764 msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2;
765 msPKI-Certificate-Name-Flag: 134217728;
766 msPKI-Enrollment-Flag: 32;
767 msPKI-Minimal-Key-Size: 1024;
768 msPKI-Private-Key-Flag: 0;
769 msPKI-RA-Signature: 0;
770 msPKI-Template-Minor-Revision: 0;
771 msPKI-Template-Schema-Version: 2;
772 name: Workstation;
773 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
774 pKIDefaultKeySpec: 1;
775 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF
776 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2;
777 pKIKeyUsage: 0xa0 0x00
778 pKIMaxIssuingDepth: 0;
779 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF
780 revision: 104;
781
782
58 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 <41> Section 3: The following is the list of the default certificate templates and their attribute values that are installed to Active Directory by Windows Vista and later clients and by Windows Server 2008 and later servers.
783
784 cn: Administrator;
785 displayName: Administrator;
786 flags: 66106;
787 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.7;
788 msPKI-Certificate-Name-Flag: -1509949440;
789 msPKI-Enrollment-Flag: 41;
790 msPKI-Minimal-Key-Size: 2048;
791 msPKI-Private-Key-Flag: 16;
792 msPKI-RA-Signature: 0;
793 msPKI-Template-Minor-Revision: 1;
794 msPKI-Template-Schema-Version: 1;
795 name: Administrator;
796 pKICriticalExtensions: 2.5.29.15;
797 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
798 pKIDefaultKeySpec: 1;
799 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
800 pKIExtendedKeyUsage (4): 1.3.6.1.4.1.311.10.3.1; 1.3.6.1.4.1.311.10.3.4; 1.3.6.1.5.5.7.3.4; 1.3.6.1.5.5.7.3.2;
801 pKIKeyUsage: 0xA0 0x00;
802 pKIMaxIssuingDepth: 0;
803 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
804 revision: 4;
805
806 cn: CA;
807 displayName: Root Certification Authority;
808 flags: 65745;
809 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.17;
59 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 810 msPKI-Certificate-Name-Flag: 1;
811 msPKI-Enrollment-Flag: 0;
812 msPKI-Minimal-Key-Size: 1024;
813 msPKI-Private-Key-Flag: 16;
814 msPKI-RA-Signature: 0;
815 msPKI-Template-Minor-Revision: 1;
816 msPKI-Template-Schema-Version: 1;
817 name: CA;
818 pKICriticalExtensions (2): 2.5.29.15; 2.5.29.19;
819 pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0;
820 pKIDefaultKeySpec: 2;
821 pKIExpirationPeriod: 0x00 0x40 0x1E 0xA4 0xE8 0x65 0xFA 0xFF;
822 pKIKeyUsage: 0x86 0x00;
823 pKIMaxIssuingDepth: -1;
824 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
825 revision: 5;
826
827 cn: CAExchange;
828 displayName: CA Exchange;
829 flags: 65600;
830 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.26;
831 msPKI-Certificate-Application-Policy: 1.3.6.1.4.1.311.21.5;
832 msPKI-Certificate-Name-Flag: 1;
833 msPKI-Enrollment-Flag: 1;
834 msPKI-Minimal-Key-Size: 2048;
835 msPKI-Private-Key-Flag: 0;
836 msPKI-RA-Signature: 0;
837 msPKI-Template-Minor-Revision: 0;
838 msPKI-Template-Schema-Version: 2;
839 name: CAExchange;
60 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 840 pKICriticalExtensions: 2.5.29.15;
841 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
842 pKIDefaultKeySpec: 1;
843 pKIExpirationPeriod: 0x00 0xC0 0x1B 0xD7 0x7F 0xFA 0xFF 0xFF;
844 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.21.5;
845 pKIKeyUsage: 0x20 0x00;
846 pKIMaxIssuingDepth: 0;
847 pKIOverlapPeriod: 0x00 0x40 0x96 0xD5 0x36 0xFF 0xFF 0xFF;
848 revision: 106;
849
850 cn: CEPEncryption;
851 displayName: CEP Encryption;
852 flags: 66113;
853 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.22;
854 msPKI-Certificate-Name-Flag: 1;
855 msPKI-Enrollment-Flag: 0;
856 msPKI-Minimal-Key-Size: 1024;
857 msPKI-Private-Key-Flag: 0;
858 msPKI-RA-Signature: 0;
859 msPKI-Template-Minor-Revision: 1;
860 msPKI-Template-Schema-Version: 1;
861 name: CEPEncryption;
862 pKICriticalExtensions: 2.5.29.15;
863 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
864 pKIDefaultKeySpec: 1;
865 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
866 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
867 pKIKeyUsage: 0x20 0x00;
868 pKIMaxIssuingDepth: 0;
869 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
61 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 870 revision: 4;
871
872 cn: ClientAuth;
873 displayName: Authenticated Session;
874 flags: 66080;
875 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.4;
876 msPKI-Certificate-Name-Flag: -2113929216;
877 msPKI-Enrollment-Flag: 32;
878 msPKI-Minimal-Key-Size: 2048;
879 msPKI-Private-Key-Flag: 0;
880 msPKI-RA-Signature: 0;
881 msPKI-Template-Minor-Revision: 1;
882 msPKI-Template-Schema-Version: 1;
883 name: ClientAuth;
884 pKICriticalExtensions: 2.5.29.15;
885 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider; 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
886 pKIDefaultKeySpec: 2;
887 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
888 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2;
889 pKIKeyUsage: 0x80 0x00;
890 pKIMaxIssuingDepth: 0;
891 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
892 revision: 3;
893
894 cn: CodeSigning;
895 displayName: Code Signing;
896 flags: 66080;
897 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.9;
898 msPKI-Certificate-Name-Flag: -2113929216;
62 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 899 msPKI-Enrollment-Flag: 32;
900 msPKI-Minimal-Key-Size: 2048;
901 msPKI-Private-Key-Flag: 0;
902 msPKI-RA-Signature: 0;
903 msPKI-Template-Minor-Revision: 1;
904 msPKI-Template-Schema-Version: 1;
905 name: CodeSigning;
906 pKICriticalExtensions: 2.5.29.15;
907 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider; 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
908 pKIDefaultKeySpec: 2;
909 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
910 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.3;
911 pKIKeyUsage: 0x80 0x00;
912 pKIMaxIssuingDepth: 0;
913 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
914 revision: 3;
915
916 cn: CrossCA;
917 displayName: Cross Certification Authority;
918 flags: 67600;
919 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.25;
920 msPKI-Certificate-Name-Flag: 1;
921 msPKI-Enrollment-Flag: 8;
922 msPKI-Minimal-Key-Size: 1024;
923 msPKI-Private-Key-Flag: 16;
924 msPKI-RA-Application-Policies: 1.3.6.1.4.1.311.10.3.10;
925 msPKI-RA-Signature: 1;
926 msPKI-Template-Minor-Revision: 0;
927 msPKI-Template-Schema-Version: 2;
928 name: CrossCA;
63 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 929 pKICriticalExtensions (2): 2.5.29.15; 2.5.29.19;
930 pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0;
931 pKIDefaultKeySpec: 2;
932 pKIExpirationPeriod: 0x00 0x40 0x1E 0xA4 0xE8 0x65 0xFA 0xFF;
933 pKIKeyUsage: 0x86 0x00;
934 pKIMaxIssuingDepth: -1;
935 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
936 revision: 105;
937
938 cn: CTLSigning;
939 displayName: Trust List Signing;
940 flags: 66080;
941 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.10;
942 msPKI-Certificate-Name-Flag: -2113929216;
943 msPKI-Enrollment-Flag: 32;
944 msPKI-Minimal-Key-Size: 2048;
945 msPKI-Private-Key-Flag: 0;
946 msPKI-RA-Signature: 0;
947 msPKI-Template-Minor-Revision: 1;
948 msPKI-Template-Schema-Version: 1;
949 name: CTLSigning;
950 pKICriticalExtensions: 2.5.29.15;
951 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider; 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
952 pKIDefaultKeySpec: 2;
953 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
954 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.10.3.1;
955 pKIKeyUsage: 0x80 0x00;
956 pKIMaxIssuingDepth: 0;
957 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
958 revision: 3;
64 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 959
960 cn: DirectoryEmailReplication;
961 displayName: Directory Email Replication;
962 flags: 65632;
963 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.29;
964 msPKI-Certificate-Application-Policy: 1.3.6.1.4.1.311.21.19;
965 msPKI-Certificate-Name-Flag: 150994944;
966 msPKI-Enrollment-Flag: 41;
967 msPKI-Minimal-Key-Size: 2048;
968 msPKI-Private-Key-Flag: 0;
969 msPKI-RA-Signature: 0;
970 msPKI-Supersede-Templates: DomainController;
971 msPKI-Template-Minor-Revision: 0;
972 msPKI-Template-Schema-Version: 2;
973 name: DirectoryEmailReplication;
974 pKICriticalExtensions (2): 2.5.29.15; 2.5.29.17;
975 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
976 pKIDefaultKeySpec: 1;
977 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
978 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.21.19;
979 pKIKeyUsage: 0xA0 0x00;
980 pKIMaxIssuingDepth: 0;
981 pKIOverlapPeriod: 00 80 A6 0A FF DE FF FF;
982 revision: 115;
983
984 cn: DomainController;
985 displayName: Domain Controller;
986 flags: 66156;
987 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.15;
988 msPKI-Certificate-Name-Flag: 419430400;
65 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 989 msPKI-Enrollment-Flag: 41;
990 msPKI-Minimal-Key-Size: 2048;
991 msPKI-Private-Key-Flag: 0;
992 msPKI-RA-Signature: 0;
993 msPKI-Template-Minor-Revision: 1;
994 msPKI-Template-Schema-Version: 1;
995 name: DomainController;
996 pKICriticalExtensions: 2.5.29.15;
997 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
998 pKIDefaultKeySpec: 1;
999 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1000 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
1001 pKIKeyUsage: 0xA0 0x00;
1002 pKIMaxIssuingDepth: 0;
1003 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1004 revision: 4;
1005
1006 cn: DomainControllerAuthentication;
1007 displayName: Domain Controller Authentication;
1008 flags: 65632;
1009 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.28;
1010 msPKI-Certificate-Application-Policy (3): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1; 1.3.6.1.4.1.311.20.2.2;
1011 msPKI-Certificate-Name-Flag: 134217728;
1012 msPKI-Enrollment-Flag: 32;
1013 msPKI-Minimal-Key-Size: 2048;
1014 msPKI-Private-Key-Flag: 0;
1015 msPKI-RA-Signature: 0;
1016 msPKI-Supersede-Templates: DomainController;
1017 msPKI-Template-Minor-Revision: 0;
1018 msPKI-Template-Schema-Version: 2;
66 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1019 name: DomainControllerAuthentication;
1020 pKICriticalExtensions (2): 2.5.29.15; 2.5.29.17;
1021 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
1022 pKIDefaultKeySpec: 1;
1023 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1024 pKIExtendedKeyUsage (3): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1; 1.3.6.1.4.1.311.20.2.2;
1025 pKIKeyUsage: 0xA0 0x00;
1026 pKIMaxIssuingDepth: 0;
1027 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1028 revision: 110;
1029
1030 cn: EFS;
1031 displayName: Basic EFS;
1032 flags: 66104;
1033 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.6;
1034 msPKI-Certificate-Name-Flag: -2113929216;
1035 msPKI-Enrollment-Flag: 41;
1036 msPKI-Minimal-Key-Size: 2048;
1037 msPKI-Private-Key-Flag: 16;
1038 msPKI-RA-Signature: 0;
1039 msPKI-Template-Minor-Revision: 1;
1040 msPKI-Template-Schema-Version: 1;
1041 name: EFS;
1042 pKICriticalExtensions: 2.5.29.15;
1043 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1044 pKIDefaultKeySpec: 1;
1045 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1046 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.10.3.4;
1047 pKIKeyUsage: 0x20 0x00;
67 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1048 pKIMaxIssuingDepth: 0;
1049 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1050 revision: 3;
1051
1052 cn: EFSRecovery;
1053 displayName: EFS Recovery Agent;
1054 flags: 66096;
1055 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.8;
1056 msPKI-Certificate-Name-Flag: -2113929216;
1057 msPKI-Enrollment-Flag: 33;
1058 msPKI-Minimal-Key-Size: 2048;
1059 msPKI-Private-Key-Flag: 16;
1060 msPKI-RA-Signature: 0;
1061 msPKI-Template-Minor-Revision: 1;
1062 msPKI-Template-Schema-Version: 1;
1063 name: EFSRecovery;
1064 pKICriticalExtensions: 2.5.29.15;
1065 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1066 pKIDefaultKeySpec: 1;
1067 pKIExpirationPeriod: 0x00 0x40 0x1E 0xA4 0xE8 0x65 0xFA 0xFF;
1068 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.10.3.4.1;
1069 pKIKeyUsage: 0x20 0x00;
1070 pKIMaxIssuingDepth: 0;
1071 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1072 revision: 6;
1073
1074 cn: EnrollmentAgent;
1075 displayName: Enrollment Agent;
1076 flags: 66080;
68 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1077 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.11;
1078 msPKI-Certificate-Name-Flag: -2113929216;
1079 msPKI-Enrollment-Flag: 32;
1080 msPKI-Minimal-Key-Size: 2048;
1081 msPKI-Private-Key-Flag: 0;
1082 msPKI-RA-Signature: 0;
1083 msPKI-Template-Minor-Revision: 1;
1084 msPKI-Template-Schema-Version: 1;
1085 name: EnrollmentAgent;
1086 pKICriticalExtensions: 2.5.29.15;
1087 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider; 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1088 pKIDefaultKeySpec: 2;
1089 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
1090 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
1091 pKIKeyUsage: 0x80 0x00;
1092 pKIMaxIssuingDepth: 0;
1093 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1094 revision: 4;
1095
1096 cn: EnrollmentAgentOffline;
1097 displayName: Exchange Enrollment Agent (Offline request);
1098 flags: 66049;
1099 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.12;
1100 msPKI-Certificate-Name-Flag: 1;
1101 msPKI-Enrollment-Flag: 0;
1102 msPKI-Minimal-Key-Size: 1024;
1103 msPKI-Private-Key-Flag: 0;
1104 msPKI-RA-Signature: 0;
1105 msPKI-Template-Minor-Revision: 1;
69 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1106 msPKI-Template-Schema-Version: 1;
1107 name: EnrollmentAgentOffline;
1108 pKICriticalExtensions: 2.5.29.15;
1109 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider; 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1110 pKIDefaultKeySpec: 2;
1111 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
1112 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
1113 pKIKeyUsage: 0x80 0x00;
1114 pKIMaxIssuingDepth: 0;
1115 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1116 revision: 4;
1117
1118 cn: ExchangeUser;
1119 displayName: Exchange User;
1120 flags: 66065;
1121 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.23;
1122 msPKI-Certificate-Name-Flag: 1;
1123 msPKI-Enrollment-Flag: 1;
1124 msPKI-Minimal-Key-Size: 2048;
1125 msPKI-Private-Key-Flag: 16;
1126 msPKI-RA-Signature: 0;
1127 msPKI-Template-Minor-Revision: 1;
1128 msPKI-Template-Schema-Version: 1;
1129 name: ExchangeUser;
1130 pKICriticalExtensions: 2.5.29.15;
1131 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1132 pKIDefaultKeySpec: 1;
1133 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1134 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.4;
70 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1135 pKIKeyUsage: 0x20 0x00;
1136 pKIMaxIssuingDepth: 0;
1137 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1138 revision: 7;
1139
1140 cn: ExchangeUserSignature;
1141 displayName: Exchange Signature Only;
1142 flags: 66049;
1143 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.24;
1144 msPKI-Certificate-Name-Flag: 1;
1145 msPKI-Enrollment-Flag: 0;
1146 msPKI-Minimal-Key-Size: 2048;
1147 msPKI-Private-Key-Flag: 0;
1148 msPKI-RA-Signature: 0;
1149 msPKI-Template-Minor-Revision: 1;
1150 msPKI-Template-Schema-Version: 1;
1151 name: ExchangeUserSignature;
1152 pKICriticalExtensions: 2.5.29.15;
1153 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider; 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1154 pKIDefaultKeySpec: 2;
1155 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1156 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.4;
1157 pKIKeyUsage: 0x80 0x00;
1158 pKIMaxIssuingDepth: 0;
1159 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1160 revision: 6;
1161
1162 cn: IPSECIntermediateOffline;
1163 displayName: IPSec (Offline request);
1164 flags: 66113;
71 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1165 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.20;
1166 msPKI-Certificate-Name-Flag: 1;
1167 msPKI-Enrollment-Flag: 0;
1168 msPKI-Minimal-Key-Size: 1024;
1169 msPKI-Private-Key-Flag: 0;
1170 msPKI-RA-Signature: 0;
1171 msPKI-Template-Minor-Revision: 1;
1172 msPKI-Template-Schema-Version: 1;
1173 name: IPSECIntermediateOffline;
1174 pKICriticalExtensions: 2.5.29.15;
1175 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
1176 pKIDefaultKeySpec: 1;
1177 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
1178 pKIExtendedKeyUsage: 1.3.6.1.5.5.8.2.2;
1179 pKIKeyUsage: 0xA0 0x00;
1180 pKIMaxIssuingDepth: 0;
1181 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1182 revision: 7;
1183
1184 cn: IPSECIntermediateOnline;
1185 displayName: IPSec;
1186 flags: 66144;
1187 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.19;
1188 msPKI-Certificate-Name-Flag: 402653184;
1189 msPKI-Enrollment-Flag: 32;
1190 msPKI-Minimal-Key-Size: 2048;
1191 msPKI-Private-Key-Flag: 0;
1192 msPKI-RA-Signature: 0;
1193 msPKI-Template-Minor-Revision: 1;
1194 msPKI-Template-Schema-Version: 1;
72 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1195 name: IPSECIntermediateOnline;
1196 pKICriticalExtensions: 2.5.29.15;
1197 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
1198 pKIDefaultKeySpec: 1;
1199 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
1200 pKIExtendedKeyUsage: 1.3.6.1.5.5.8.2.2;
1201 pKIKeyUsage: 0xA0 0x00;
1202 pKIMaxIssuingDepth: 0;
1203 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1204 revision: 8;
1205
1206 cn: KerberosAuthentication;
1207 displayName: Kerberos Authentication;
1208 flags: 65632;
1209 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.33;
1210 msPKI-Certificate-Application-Policy (4): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1; 1.3.6.1.4.1.311.20.2.2; 1.3.6.1.5.2.3.5;
1211 msPKI-Certificate-Name-Flag: 138412032;
1212 msPKI-Enrollment-Flag: 32;
1213 msPKI-Minimal-Key-Size: 2048;
1214 msPKI-Private-Key-Flag: 0;
1215 msPKI-RA-Signature: 0;
1216 msPKI-Template-Minor-Revision: 0;
1217 msPKI-Template-Schema-Version: 2;
1218 name: KerberosAuthentication;
1219 pKICriticalExtensions (2): 2.5.29.15; 2.5.29.17;
1220 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
1221 pKIDefaultKeySpec: 1;
1222 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1223 pKIExtendedKeyUsage (4): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1; 1.3.6.1.4.1.311.20.2.2; 1.3.6.1.5.2.3.5;
73 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1224 pKIKeyUsage: 0xA0 0x00;
1225 pKIMaxIssuingDepth: 0;
1226 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1227 revision: 110;
1228
1229 cn: KeyRecoveryAgent;
1230 displayName: Key Recovery Agent;
1231 flags: 65568;
1232 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.27;
1233 msPKI-Certificate-Application-Policy: 1.3.6.1.4.1.311.21.6;
1234 msPKI-Certificate-Name-Flag: -2113929216;
1235 msPKI-Enrollment-Flag: 39;
1236 msPKI-Minimal-Key-Size: 2048;
1237 msPKI-Private-Key-Flag: 16;
1238 msPKI-RA-Signature: 0;
1239 msPKI-Template-Minor-Revision: 0;
1240 msPKI-Template-Schema-Version: 2;
1241 name: KeyRecoveryAgent;
1242 pKICriticalExtensions: 2.5.29.15;
1243 pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0;
1244 pKIDefaultKeySpec: 1;
1245 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
1246 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.21.6;
1247 pKIKeyUsage: 0x20 0x00;
1248 pKIMaxIssuingDepth: 0;
1249 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1250 revision: 105;
1251
1252 cn: Machine;
1253 displayName: Computer;
74 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1254 flags: 66144;
1255 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.14;
1256 msPKI-Certificate-Name-Flag: 402653184;
1257 msPKI-Enrollment-Flag: 32;
1258 msPKI-Minimal-Key-Size: 2048;
1259 msPKI-Private-Key-Flag: 0;
1260 msPKI-RA-Signature: 0;
1261 msPKI-Template-Minor-Revision: 1;
1262 msPKI-Template-Schema-Version: 1;
1263 name: Machine;
1264 pKICriticalExtensions: 2.5.29.15;
1265 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
1266 pKIDefaultKeySpec: 1;
1267 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1268 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
1269 pKIKeyUsage: 0xA0 0x00;
1270 pKIMaxIssuingDepth: 0;
1271 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1272 revision: 5;
1273
1274 cn: MachineEnrollmentAgent;
1275 displayName: Enrollment Agent (Computer);
1276 flags: 66144;
1277 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.13;
1278 msPKI-Certificate-Name-Flag: 402653184;
1279 msPKI-Enrollment-Flag: 32;
1280 msPKI-Minimal-Key-Size: 2048;
1281 msPKI-Private-Key-Flag: 0;
1282 msPKI-RA-Signature: 0;
1283 msPKI-Template-Minor-Revision: 1;
75 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1284 msPKI-Template-Schema-Version: 1;
1285 name: MachineEnrollmentAgent;
1286 pKICriticalExtensions: 2.5.29.15;
1287 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider; 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1288 pKIDefaultKeySpec: 2;
1289 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
1290 pKIExtendedKeyUsage: 1.3.6.1.4.1.311.20.2.1;
1291 pKIKeyUsage: 0x80 0x00;
1292 pKIMaxIssuingDepth: 0;
1293 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1294 revision: 5;
1295
1296 cn: OCSPResponseSigning;
1297 displayName: OCSP Response Signing;
1298 flags: 66112;
1299 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.32;
1300 msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.9;
1301 msPKI-Certificate-Name-Flag: 402653184;
1302 msPKI-Enrollment-Flag: 4096;
1303 msPKI-Minimal-Key-Size: 2048;
1304 msPKI-Private-Key-Flag: 0;
1305 msPKI-RA-Application-Policies: msPKI-Asymmetric-Algorithm`PZPWSTR`RSA`msPKI-Hash- Algorithm`PZPWSTR`SHA1`msPKI-Key-Security-Descriptor`PZPWSTR`D:(A;;FA;;;BA)(A;;FA;;;SY) (A;;GR;;;S-1-5-80-3804348527-3718992918-2141599610-3686422417-2726379419)`msPKI-Key- Usage`DWORD`2`;
1306 msPKI-RA-Signature: 0;
1307 msPKI-Template-Minor-Revision: 0;
1308 msPKI-Template-Schema-Version: 3;
1309 name: OCSPResponseSigning;
1310 pKICriticalExtensions: 2.5.29.15;
1311 pKIDefaultKeySpec: 2;
76 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1312 pKIExpirationPeriod: 0x00 0x80 0x37 0xAE 0xFF 0xF4 0xFF 0xFF;
1313 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.9;
1314 pKIKeyUsage: 0x80 0x00;
1315 pKIMaxIssuingDepth: 0;
1316 pKIOverlapPeriod: 0x00 0x80 0x2C 0xAB 0x6D 0xFE 0xFF 0xFF;
1317 revision: 101;
1318
1319 cn: OfflineRouter;
1320 displayName: Router (Offline request);
1321 flags: 66113;
1322 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.21;
1323 msPKI-Certificate-Name-Flag: 1;
1324 msPKI-Enrollment-Flag: 0;
1325 msPKI-Minimal-Key-Size: 2048;
1326 msPKI-Private-Key-Flag: 0;
1327 msPKI-RA-Signature: 0;
1328 msPKI-Template-Minor-Revision: 1;
1329 msPKI-Template-Schema-Version: 1;
1330 name: OfflineRouter;
1331 pKICriticalExtensions: 2.5.29.15;
1332 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
1333 pKIDefaultKeySpec: 1;
1334 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
1335 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2;
1336 pKIKeyUsage: 0xA0 0x00;
1337 pKIMaxIssuingDepth: 0;
1338 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1339 revision: 4;
1340
1341 cn: RASAndIASServer;
77 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1342 displayName: RAS and IAS Server;
1343 flags: 66144;
1344 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.31;
1345 msPKI-Certificate-Application-Policy (2): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
1346 msPKI-Certificate-Name-Flag: 1207959552;
1347 msPKI-Enrollment-Flag: 32;
1348 msPKI-Minimal-Key-Size: 2048;
1349 msPKI-Private-Key-Flag: 0;
1350 msPKI-RA-Signature: 0;
1351 msPKI-Template-Minor-Revision: 0;
1352 msPKI-Template-Schema-Version: 2;
1353 name: RASAndIASServer;
1354 pKICriticalExtensions: 2.5.29.15;
1355 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
1356 pKIDefaultKeySpec: 1;
1357 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1358 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.2; 1.3.6.1.5.5.7.3.1;
1359 pKIKeyUsage: 0xA0 0x00;
1360 pKIMaxIssuingDepth: 0;
1361 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1362 revision: 101;
1363
1364 cn: SmartcardLogon;
1365 displayName: Smartcard Logon;
1366 flags: 66048;
1367 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.5;
1368 msPKI-Certificate-Name-Flag: -2113929216;
1369 msPKI-Enrollment-Flag: 0;
1370 msPKI-Minimal-Key-Size: 512;
1371 msPKI-Private-Key-Flag: 0;
78 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1372 msPKI-RA-Signature: 0;
1373 msPKI-Template-Minor-Revision: 1;
1374 msPKI-Template-Schema-Version: 1;
1375 name: SmartcardLogon;
1376 pKICriticalExtensions: 2.5.29.15;
1377 pKIDefaultKeySpec: 1;
1378 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1379 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.2; 1.3.6.1.4.1.311.20.2.2;
1380 pKIKeyUsage: 0xA0 0x00;
1381 pKIMaxIssuingDepth: 0;
1382 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1383 revision: 6;
1384
1385 cn: SmartcardUser;
1386 displayName: Smartcard User;
1387 flags: 66058;
1388 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.3;
1389 msPKI-Certificate-Name-Flag: -1509949440;
1390 msPKI-Enrollment-Flag: 9;
1391 msPKI-Minimal-Key-Size: 512;
1392 msPKI-Private-Key-Flag: 0;
1393 msPKI-RA-Signature: 0;
1394 msPKI-Template-Minor-Revision: 1;
1395 msPKI-Template-Schema-Version: 1;
1396 name: SmartcardUser;
1397 pKICriticalExtensions: 2.5.29.15;
1398 pKIDefaultKeySpec: 1;
1399 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1400 pKIExtendedKeyUsage (3): 1.3.6.1.5.5.7.3.4; 1.3.6.1.5.5.7.3.2; 1.3.6.1.4.1.311.20.2.2;
1401 pKIKeyUsage: 0xA0 0x00;
79 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1402 pKIMaxIssuingDepth: 0;
1403 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1404 revision: 11;
1405
1406 cn: SubCA;
1407 displayName: Subordinate Certification Authority;
1408 flags: 66257;
1409 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.18;
1410 msPKI-Certificate-Name-Flag: 1;
1411 msPKI-Enrollment-Flag: 0;
1412 msPKI-Minimal-Key-Size: 1024;
1413 msPKI-Private-Key-Flag: 16;
1414 msPKI-RA-Signature: 0;
1415 msPKI-Template-Minor-Revision: 1;
1416 msPKI-Template-Schema-Version: 1;
1417 name: SubCA;
1418 pKICriticalExtensions (2): 2.5.29.15; 2.5.29.19;
1419 pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0;
1420 pKIDefaultKeySpec: 2;
1421 pKIExpirationPeriod: 0x00 0x40 0x1E 0xA4 0xE8 0x65 0xFA 0xFF;
1422 pKIKeyUsage: 0x86 0x00;
1423 pKIMaxIssuingDepth: -1;
1424 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1425 revision: 5;
1426
1427 cn: User;
1428 displayName: User;
1429 flags: 66106;
1430 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.1;
1431 msPKI-Certificate-Name-Flag: -1509949440;
80 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1432 msPKI-Enrollment-Flag: 41;
1433 msPKI-Minimal-Key-Size: 2048;
1434 msPKI-Private-Key-Flag: 16;
1435 msPKI-RA-Signature: 0;
1436 msPKI-Template-Minor-Revision: 1;
1437 msPKI-Template-Schema-Version: 1;
1438 name: User;
1439 pKICriticalExtensions: 2.5.29.15;
1440 pKIDefaultCSPs (2): 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1441 pKIDefaultKeySpec: 1;
1442 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1443 pKIExtendedKeyUsage (3): 1.3.6.1.4.1.311.10.3.4; 1.3.6.1.5.5.7.3.4; 1.3.6.1.5.5.7.3.2;
1444 pKIKeyUsage: 0xA0 0x00;
1445 pKIMaxIssuingDepth: 0;
1446 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1447 revision: 3;
1448
1449 cn: UserSignature;
1450 displayName: User Signature Only;
1451 flags: 66082;
1452 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.2;
1453 msPKI-Certificate-Name-Flag: -1509949440;
1454 msPKI-Enrollment-Flag: 32;
1455 msPKI-Minimal-Key-Size: 2048;
1456 msPKI-Private-Key-Flag: 0;
1457 msPKI-RA-Signature: 0;
1458 msPKI-Template-Minor-Revision: 1;
1459 msPKI-Template-Schema-Version: 1;
1460 name: UserSignature;
81 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1461 pKICriticalExtensions: 2.5.29.15;
1462 pKIDefaultCSPs (3): 3,Microsoft Base DSS Cryptographic Provider; 2,Microsoft Base Cryptographic Provider v1.0; 1,Microsoft Enhanced Cryptographic Provider v1.0;
1463 pKIDefaultKeySpec: 2;
1464 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1465 pKIExtendedKeyUsage (2): 1.3.6.1.5.5.7.3.4; 1.3.6.1.5.5.7.3.2;
1466 pKIKeyUsage: 0x80 0x00;
1467 pKIMaxIssuingDepth: 0;
1468 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1469 revision: 4;
1470
1471 cn: WebServer;
1472 displayName: Web Server;
1473 flags: 66113;
1474 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.16;
1475 msPKI-Certificate-Name-Flag: 1;
1476 msPKI-Enrollment-Flag: 0;
1477 msPKI-Minimal-Key-Size: 2048;
1478 msPKI-Private-Key-Flag: 0;
1479 msPKI-RA-Signature: 0;
1480 msPKI-Template-Minor-Revision: 1;
1481 msPKI-Template-Schema-Version: 1;
1482 name: WebServer;
1483 pKICriticalExtensions: 2.5.29.15;
1484 pKIDefaultCSPs (2): 2,Microsoft DH SChannel Cryptographic Provider; 1,Microsoft RSA SChannel Cryptographic Provider;
1485 pKIDefaultKeySpec: 1;
1486 pKIExpirationPeriod: 0x00 0x80 0x72 0x0E 0x5D 0xC2 0xFD 0xFF;
1487 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.1;
1488 pKIKeyUsage: 0xA0 0x00;
1489 pKIMaxIssuingDepth: 0;
82 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1490 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1491 revision: 4;
1492
1493 cn: Workstation;
1494 displayName: Workstation Authentication;
1495 flags: 66144;
1496 msPKI-Cert-Template-OID: 1.3.6.1.4.1.311.21.8.11034890.834619.12601478.16236816.7255827.176.1.30;
1497 msPKI-Certificate-Application-Policy: 1.3.6.1.5.5.7.3.2;
1498 msPKI-Certificate-Name-Flag: 134217728;
1499 msPKI-Enrollment-Flag: 32;
1500 msPKI-Minimal-Key-Size: 2048;
1501 msPKI-Private-Key-Flag: 0;
1502 msPKI-RA-Signature: 0;
1503 msPKI-Template-Minor-Revision: 0;
1504 msPKI-Template-Schema-Version: 2;
1505 name: Workstation;
1506 pKICriticalExtensions: 2.5.29.15;
1507 pKIDefaultCSPs: 1,Microsoft RSA SChannel Cryptographic Provider;
1508 pKIDefaultKeySpec: 1;
1509 pKIExpirationPeriod: 0x00 0x40 0x39 0x87 0x2E 0xE1 0xFE 0xFF;
1510 pKIExtendedKeyUsage: 1.3.6.1.5.5.7.3.2;
1511 pKIKeyUsage: 0xA0 0x00;
1512 pKIMaxIssuingDepth: 0;
1513 pKIOverlapPeriod: 0x00 0x80 0xA6 0x0A 0xFF 0xDE 0xFF 0xFF;
1514 revision: 101;
1515
83 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 1516 Change Tracking This section identifies changes that were made to this document since the last release. Changes are classified as Major, Minor, or None. The revision class Major means that the technical content in the document was significantly revised. Major changes affect protocol interoperability or implementation. Examples of major changes are: § A document revision that incorporates changes to interoperability requirements. § A document revision that captures changes to protocol functionality. The revision class Minor means that the meaning of the technical content was clarified. Minor changes do not affect protocol interoperability or implementation. Examples of minor changes are updates to clarify ambiguity at the sentence, paragraph, or table level. The revision class None means that no new technical changes were introduced. Minor editorial and formatting changes may have been made, but the relevant technical content is identical to the last released version. The changes made to this document are listed in the following table. For more information, please contact [email protected]. Revision Section Description class
5 Appendix A: Product Added Windows Server to the list of applicable products and Major Behavior modified several product behavior notes. Index A permission bits - sets 16 pKICriticalExtensions 18 Access control - security 30 pKIDefaultCSPs 18 Applicability 12 pKIDefaultKeySpec 18 Attributes pKIEnrollmentAccess 18 cn 13 pKIExpirationPeriod 19 displayName 13 pKIExtendedKeyUsage 19 distinguishedName 13 pKIKeyUsage 19 flags 13 pKIMaxIssuingDepth 19 msPKI-Certificate-Application-Policy 22 pKIOverlapPeriod 19 msPKI-Certificate-Name-Flag 26 revision 18 msPKI-Certificate-Policy 22 Auditing - security 30 msPKI-Cert-Template-OID 20 msPKI-Enrollment-Flag 22 msPKI-Minimal-Key-Size 20 C msPKI-Private-Key-Flag 25 msPKI-RA-Application-Policies Change tracking 56 overview 20 cn attribute 13 version 1 templates 20 Common data types and fields 13 version 2 templates 20 version 3 templates 20 D version 4 templates (section 2.23.1 20, section 2.23.2 20) Data types and fields - common 13 msPKI-RA-Policies 20 Details msPKI-RA-Signature 19 cn attribute 13 msPKI-Supersede-Templates 20 common data types and fields 13 msPKI-Template-Minor-Revision 19 displayName attribute 13 msPKI-Template-Schema-Version 19 distinguishedName attribute 13 ntSecurityDescriptor flags attribute 13 end entity msPKI-Certificate-Application-Policy attribute 22 autoenrollment permission 15 msPKI-Certificate-Name-Flag attribute 26 enrollment permission 14 msPKI-Certificate-Policy attribute 22 overview 14 msPKI-Cert-Template-OID attribute 20
84 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 msPKI-Enrollment-Flag attribute 22 msPKI-RA-Application-Policies attribute msPKI-Minimal-Key-Size attribute 20 overview 20 msPKI-Private-Key-Flag attribute 25 version 1 templates 20 msPKI-RA-Application-Policies attribute version 2 templates 20 overview 20 version 3 templates 20 version 1 templates 20 version 4 templates (section 2.23.1 20, section version 2 templates 20 2.23.2 20) version 3 templates 20 msPKI-RA-Policies attribute 20 version 4 templates (section 2.23.1 20, section msPKI-RA-Signature attribute 19 2.23.2 20) msPKI-Supersede-Templates attribute 20 msPKI-RA-Policies attribute 20 msPKI-Template-Minor-Revision attribute 19 msPKI-RA-Signature attribute 19 msPKI-Template-Schema-Version attribute 19 msPKI-Supersede-Templates attribute 20 msPKI-Template-Minor-Revision attribute 19 N msPKI-Template-Schema-Version attribute 19 ntSecurityDescriptor attribute Normative references 11 end entity ntSecurityDescriptor attribute autoenrollment permission 15 end entity enrollment permission 14 autoenrollment permission 15 overview 14 enrollment permission 14 permission bits - sets 16 overview 14 pKICriticalExtensions attribute 18 permission bits - sets 16 pKIDefaultCSPs attribute 18 pKIDefaultKeySpec attribute 18 pKIEnrollmentAccess attribute 18 O pKIExpirationPeriod attribute 19 pKIExtendedKeyUsage attribute 19 Overview (synopsis) 12 pKIKeyUsage attribute 19 pKIMaxIssuingDepth attribute 19 P pKIOverlapPeriod attribute 19 revision attribute 18 pKICriticalExtensions attribute 18 displayName attribute 13 pKIDefaultCSPs attribute 18 distinguishedName attribute 13 pKIDefaultKeySpec attribute 18 pKIEnrollmentAccess attribute 18 E pKIExpirationPeriod attribute 19 pKIExtendedKeyUsage attribute 19 Example 28 pKIKeyUsage attribute 19 pKIMaxIssuingDepth attribute 19 F pKIOverlapPeriod attribute 19 Policy - security 30 Product behavior 31 Fields - vendor-extensible 12 flags attribute 13 R G References 11 informative 11 Glossary 7 normative 11 Relationship to other protocols 12 I Relationship to protocols and other structures 12 revision attribute 18 Informative references 11 Introduction 7 S
L Security access control 30 Localization 12 auditing 30 policy 30 M Structures cn attribute 13 displayName attribute 13 msPKI-Certificate-Application-Policy attribute 22 distinguishedName attribute 13 msPKI-Certificate-Name-Flag attribute 26 flags attribute 13 msPKI-Certificate-Policy attribute 22 msPKI-Certificate-Application-Policy attribute 22 msPKI-Cert-Template-OID attribute 20 msPKI-Certificate-Name-Flag attribute 26 msPKI-Enrollment-Flag attribute 22 msPKI-Certificate-Policy attribute 22 msPKI-Minimal-Key-Size attribute 20 msPKI-Cert-Template-OID attribute 20 msPKI-Private-Key-Flag attribute 25
85 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017 msPKI-Enrollment-Flag attribute 22 pKICriticalExtensions attribute 18 msPKI-Minimal-Key-Size attribute 20 pKIDefaultCSPs attribute 18 msPKI-Private-Key-Flag attribute 25 pKIDefaultKeySpec attribute 18 msPKI-RA-Application-Policies attribute pKIEnrollmentAccess attribute 18 overview 20 pKIExpirationPeriod attribute 19 version 1 templates 20 pKIExtendedKeyUsage attribute 19 version 2 templates 20 pKIKeyUsage attribute 19 version 3 templates 20 pKIMaxIssuingDepth attribute 19 version 4 templates (section 2.23.1 20, section pKIOverlapPeriod attribute 19 2.23.2 20) revision attribute 18 msPKI-RA-Policies attribute 20 msPKI-RA-Signature attribute 19 T msPKI-Supersede-Templates attribute 20 msPKI-Template-Minor-Revision attribute 19 Tracking changes 56 msPKI-Template-Schema-Version attribute 19 ntSecurityDescriptor attribute end entity V autoenrollment permission 15 enrollment permission 14 Vendor-extensible fields 12 overview 14 Versioning 12 permission bits - sets 16 overview 13
86 / 86 [MS-CRTD] - v20170915 Certificate Templates Structure Copyright © 2017 Microsoft Corporation Release: September 15, 2017