Create or Identify Templates

The Keyfactor Windows Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Gateway uses certificate templates stored in the local Active Directory that map to certificate templates hosted in the managed forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. to support enrollment for certificates from the managed CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA.. When you enroll for a certificate via the gateway, you make a request using the local Active Directory template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. and the corresponding managed forest certificate template is requested.

Templates are configured in the local environment and are mapped to EJBCA templates from the managed instance of Keyfactor Command. Templates can only be mapped if they share the same key type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519). (e.g. RSA) and if their key sizes are compatible (see Key Size).

Note: When EJBCA templates are imported into Keyfactor Command, they are made up of a combination of an EJBCA end entity profile and a certificate profile and named using a naming scheme of:

Short Name: <end entity profile name>_<certificate profile name>
Display Name: <end entity profile name> (<certificate profile name>)

Only certificate profiles configured as available in a given end entity profile will be imported as templates associated with the given end entity profile name.

Creating Local Templates

If you have a Microsoft enterprise CA, you can easily create these templates using the Microsoft CA certificate templates MMC snap-in. If you don’t have a Microsoft enterprise CA, you can install the Microsoft Remote Server Administration Tools (RSAT) for Windows (see Add Remote Server Administration Tools) and use the Certificate Templates tool within this to manage templates. When you open the Certificate Templates tool for the first time (you’ll need to open it manually in an MMC or from the command line—certtmpl.msc—it does not appear on the menu), you’ll be offered the option to add the default templates into Active Directory. Doing so will create the necessary starter templates to work from. You can also create the necessary starter templates from the command line using this command:

certutil -installdefaulttemplates

Figure 712: Install Default Certificate Templates in Environments without a Microsoft CA

Note: Keyfactor recommends using schema version 2 or later templates wherever possible.

Figure 713: Microsoft Template Schema Version

Template Attributes

The key attributes about templates that matter for the purposes of gateway enrollment are:

Key Type

Both RSA and ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. are supported.
Key Size

The key size defined for the local template must be compatible with the key size for the template to which it is mapped in the managed instance of Keyfactor Command. For RSA keys, key sizes are compatible if the key size in the local environment is less than or equal to the key size in the managed environment. For ECC keys, key sizes are compatible if the key size in the local and managed environments are the same. Curves P-256, P-384, and P-521 are supported.
Issuance Requirements: CA Manager Approval

The Keyfactor Windows Enrollment Gateway supports manager approval through Keyfactor Command workflows but not using the “CA certificate manager approval" flag set on a Microsoft template. Manager approval for certificate requests based on policies configured in Keyfactor Command using workflows rather than at the CA level are configured entirely within Keyfactor Command and do not make use of the “CA certificate manager approval" flag.

Subject Name

The gateway supports both Supply in the request and Build from this Active Directory information. In the case of the latter, the Active Directory information is retrieved from the local forest, not the managed forest.

When a machine or user certificate is issued with a template that has either the User principal name (UPN) or Service principal name (SPN) SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. boxes checked, and the subject's account does not have a value for UserPrincipalName:
- If the account enrolling is a machine, the PrincipalName SAN will be set to samAccountName$@domain.fqdn.
- If the account enrolling is a user, the PrincipalName SAN will be set to samAccountName@domain.fqdn.
Issuance Requirements: Authorized Signatures

The gateway supports use of the This number of authorized signatures policy and accompanying settings in support of use of an enrollment agent certificate to enroll for certificates on behalf of another user (see Configure the Enrollment Agent Certificate (Optional)).
Validity Period

The lifetime for an issued certificate is based on the validity period set in the EJBCA certificate profile, not the validity period set in the Microsoft template. Work with your Keyfactor Customer Success Manager to configure the appropriate validity periods for your EJBCA certificate profiles. You may find it helpful to set the validity periods on your Microsoft templates to the same values, but they do not need to be configured this way. If the values are out of sync, you will see a warning message in the gateway log indicating that there is a validity period mismatch on the template.

Template Permissions

The service account that the gateway is running as (by default, Network Service) needs read permissions on the templates that will be configured for enrollment from the local environment and users who will be enrolling need read and enroll permissions on these templates. The user completing the gateway installation needs read permissions on the templates from the local environment in order to complete the installation.

In a multi-domain environment, it's important to use the correct type of Active Directory group when assigning these permissions to allow permissions to be queried across domain boundaries. For more information about types of Active Directory groups, see:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755692(v=ws.10)

The templates mapped to local templates must have CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment enabled in their default enrollment pattern. Permissions also need to be granted in Keyfactor Command for the gateway service account (see Preparing Keyfactor Command for the Gateway).

For auto-enrollment when the Publish certificate to Active Directory option is selected on the template, the service account user needs to be added to the certificate publishers group.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: