Difference between version 2 and version 3 certificate templates


















First and foremost, v2 templates can be modified by an Enterprise Admin. In addition, the Admin can duplicate an existing v1 or v2 template to create a new v2 template, and then customize the result. Finally, v2 templates expose a larger number of properties that can be configured, and also expose some controls to take advantage of some other new features introduced in Windows Server One of these features, for example, is key archival.

Version 3 templates were introduced in Windows Server Version 3 templates have all the features of a version 2 template with two major additions. Second, v3 templates have a setting that instructs Windows to grant the Network Service account access to the private key created on the requesting computer.

This is great for those certificates that will be used by applications or services that run as Network Service rather than Local System. For the purpose of example, I am going to use a fictional company called Fabrikam.

The next step is to look at what templates are available that they can use out of the box and which ones they need to modify to suit their purposes. Fabrikam has decided that they need to deploy the following certificate templates: Domain Controller Authentication, Web Server, and User. In addition, the fact that Key Archival is to be enabled for the User template means that the CA should also be configured to issue certificates based on the Key Recovery Agent template Actually, this is not a requirement if there is another Windows Enterprise CA in environment that is configured to issue Key Recovery Agent certificates, and is trusted to do so.

The next step is to configure the certificate templates. Next, locate the Web Server template. The default Web Server template already meets the current requirements that arose from an analysis of business needs. However, to allow for future changes Fabrikam has decided that they need to duplicate this default template and create a v2 template. This article helps fix an issue where the CNG or templates don't appear in the Advanced Certificate Request template pulldown menu.

When using the certificate web enrollment page on a Windows Server or Windows Server R2 server, the new Version 3, also known as CNG or templates, don't appear in the Advanced Certificate Request template pulldown menu. As a result, web enrollment using a CNG template can't take place via the web enrollment method. When this occurs, certificates can be requested and enrolled in successfully using the same templates but other enrollment methods.

In other words, you can successfully request a certificate from that template using the certificates MMC snap-in, script, autoenrollment, or exported request. The issue only occurs with web enrollment not allowing the Version 3 template from being available to select. Frequent other causes of not being able to blanket request a certificate may be that the server isn't an Enterprise server, or the requestor doesn't have Read Allow and Request Allow permissions on the template in Active Directory.

This behavior is by design. Version 3 templates may have additional request requirements that the web enrollment method may not fulfill. Use a different request method for these certificates.

The most recent version is 3 and this is the most used version. So for example, they are used for certificate chains. See the Wikipedia page on X.

Sign up to join this community. The best answers are voted up and rise to the top. Stack Overflow for Teams — Collaborate and share knowledge with a private group. Create a free Team What is Teams? Learn more. Ask Question. Asked 8 years, 1 month ago. Active 8 years, 1 month ago. Viewed 22k times. Improve this question. Adi



0コメント

  • 1000 / 1000