Certificate Templates

During initial provisioning, the certificate templates in the primary Active Directory forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. (the forest in which Keyfactor Command is installed) will be imported automatically by the Keyfactor Command configuration wizard. Templates for additional forests can be imported in a number of ways:

• For Microsoft CAs domain-joined to forests in a two-way trust with the primary forest, you can use the Import Templates option at any time.
• For Microsoft CAs domain-joined to forests in a one-way trust with the primary forest or to a forest having no trust with the primary forest, you can use the Import Templates option after you have configured a CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. record for at least one Microsoft CA in the non-primary forest and enabled the Use Explicit Credentials option with credentials for the non-primary forest.
• For EJBCA CAs, you can use the Import Templates option after you have configured a CA record for at least one EJBCA CA.
• For CAs accessed with the CA Connector The Keyfactor CA Connector is installed in the customer environment to provide a connection between a CA and Keyfactor Command when a direct connection is not possible. It is supported on both Windows and Linux and has versions for Microsoft (Windows only) or EJBCA CAs. Client, you can use the Import Templates option after you have configured a CA record for at least one CA.
• Templates that are associated with certificates that have been requested from a Microsoft CA in a forest other than the primary forest will appear in the templates grid as those certificates are synchronized to Keyfactor Command if you configure CA synchronization for the CA even if you don't use the import option.
• There's an automated process to import templates once every hour, on the hour. Templates are imported for Microsoft CAs in the primary forest, Microsoft CAs in any forests in a two-way trust with the primary forest, CAs accessed with an instance of the CA Connector Client, and any CAs that can be reached using the credentials configured in the CA record (the Use Explicit Credentials option for Microsoft CAs or the client certificate for EJBCA CAs). The automated template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. import only runs for CAs for which there is an active CA synchronization job configured.

You will need to import templates if you add a new template or change the name or key size The key size or key length is the number of bits in a key used by a cryptographic algorithm. of a template after it has been imported into Keyfactor Command and don't want to wait for the automated import process (see Importing Certificate Templates).

Certificate templates need to be configured to support PFX A PFX file (personal information exchange format), also known as a PKCS#12 archive, is a single, password-protected certificate archive that contains both the public and matching private key and, optionally, the certificate chain. It is a common format for Windows servers. and CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). (see Configuring Template Options).

Figure 263: Certificate Templates