Create Custom SCEP Templates (Optional)

This step is optional. If you prefer to use the built-in CEP Encryption and Exchange Enrollment Agent (Offline request) certificate templates (which support a maximum key size of 1024 bit), you may skip this step.

To create custom templates as replacements for the built-in templates to support stronger keys:

  1. On the CA that will issue the SCEP certificates, open the Certification Authority management tool.
  2. In the Certification Authority management tool, drill down to locate the Certificate Templates folder. Right-click the Certificate Templates folder and choose Manage. This will open the Certificate Templates Console.
  3. In the Certificate Templates Console, right-click the CEP Encryption template and choose Duplicate Template.
  4. If prompted with a Duplicate Template dialog (some versions of Windows), choose Windows Server 2003 Enterprise and click OK.
  5. General Tab: In the Properties of New Template dialog on the General tab, enter Keyfactor SCEP Encryption (or an alternate name of your choosing) in the Template display name field. The Template name will be auto-populated based on the text you enter in the Template display name. Select a validity period for the certificate that’s appropriate for your environment.
  6. Cryptography Tab: In the Properties of the New Template dialog on the Cryptography tab, set a Minimum key size that’s appropriate for your environment (generally 2048).
  7. Security Tab: In the Properties of New Template dialog on the Security tab, grant the SCEP server machine account Read and Enroll permissions on the template if you plan to enroll for the certificates using the Microsoft certificates MMC or the appropriate user or group if you plan to enroll for the certificates using the Keyfactor Command Management Portal.
  8. Click OK to save the new template.
  9. In the Certificate Templates Console, right-click the Keyfactor SCEP Encryption template you just created and choose Duplicate Template.
  10. If prompted with a Duplicate Template dialog (some versions of Windows), choose Windows Server 2003 Enterprise and click OK.
  11. General Tab: In the Properties of New Template dialog on the General tab, enter Keyfactor SCEP Signing (or an alternate name of your choosing) in the Template display name field. The Template name will be auto-populated based on the text you enter in the Template display name. Select a validity period for the certificate that’s appropriate for your environment.
  12. Request Handling Tab: In the Properties of the New Template dialog on the Request Handling tab, change the Purpose of the template from Encryption to Signature.
  13. Extensions Tab: In the Properties of New Template dialog on the Extensions tab, review the configuration for Key Usage and confirm that both Digital signature and Signature is proof of origin (nonrepudiation) are checked and no other options are configured.
  14. Click OK to save the new template.
  15. Back in the Certification Authority management tool, right-click the Certificate Templates folder and choose New->Certificate Template to Issue. Select the Keyfactor SCEP Encryption and Keyfactor SCEP Signing templates from the list presented and click OK.