Using a custom template for Subordinate CA's

  • Article

Problem: You have an Enterprise Root CA installed and want your SubCA to have a lifetime of 10 years but the default SubCA template is only valid for 5 years. 

Solution: When a SubCA is installed, it will attempt to read the CertificateTemplate section of the capolicy.inf file in %systemroot% (i.e. C:windows usually) under the [RequestAttributes] section. If there's no entry in the capolicy.inf file, the system defaults to requesting the SubCA template for both fresh installs and renewals of the SubCA certificate.

I.e. the capolicy.inf should also contain the following

 [RequestAttributes]
CertificateTemplate = <your custom SubCA template>

  

Note that this is in addition to any other parameters that you want to configure for the SubCA.

If you copy the existing SubCA template to a custom template, make sure the Administrator performing the enrollment has enroll permissions on it and then put the template name into the capolicy.inf file on the SubCA... your SubCA should request a SubCA certificate from the custom template.

 

The actual validity period is determined by three things:

- The maximum lifetime of the template
- The expiration period of the issuing CA
- Registry settings on the issuing CA (the Root CA issues the SubCA certificate)

The smallest of the three values is the actual value used, a CA will for example not issue a certificate beyond the validity period of its own CA certificate even if the template being used would make it possible.

Note that the template information only comes into play if the CA doing the issuing is an Enterprise Root or Enterprise SubCA.
If you're submitting the request to a standalone Microsoft Root CA it will accept the template name and stamp it on the issued certificate but the duration of it will only be based on its registry settings and the lifetime of its own CA certificate (whichever is shorter).

How to Set an Enterprise Subordinate CA to Have a Different Certificate Validity Period than the Parent CA
http://support.microsoft.com/kb/281557

Walkthrough (Planning and Implementing Cross-Certification and Qualified Subordination Using Windows Server 2003) http://technet.microsoft.com/en-us/library/cc787276.aspx

Appendix B – CAPolicy.inf
http://technet.microsoft.com/en-us/library/cc775815.aspx

CAPolicy.inf Syntax
http://technet.microsoft.com/en-us/library/cc728279.aspx

Windows Server 2008 R2 CAPolicy.inf Syntax
http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx