MS CA - setup of Certificate Templates
- Stine Granviken
This information is written in English only
This guidance describes the certificate templates used in production of smartcards in Buypass Access Manager - the LRA client. If the CA, AD and CRL already are installed, and the only extra you need is to modify the templates in order to get started with LRA, this document will be enough.
This document defines how to add new templates before production startup.
Buypass Certificate Templates in Microsoft CA
Not all the templates should be based on the 2008 templates. This is because Buypass p.t. do not have support for the 2008 templates new crypto algorithms in our CSP used for smart card logon.
Also make sure that minimum "key size" is1024, but 2048 for client templates. Buypass smart cards do not support "key size" greater than 1024 p.t.
Buypass Access Manager – the LRA client needs a number of templates:
| Certificate Template Name | Description |
|---|---|
Certificate issued to the smart card for logon | |
Certificate issued to the smart card for temporary logon | |
Certificate issued to LRA ADM and LRA Operators so they will be able to issue logon certificates to regular users |
Too define each of the templates follow the links above in the table or the links to the right in Connected pages.
Certificates with validity more than 2 years
Microsoft has set a default validity period for all certificates to a maximum of 2 years. This must be adjusted to maximum 3 years since the user certificates will last that long.
You modify the profiles by running the commands:
certutil-setreg ca\ValidityPeriodUnits 3
net stop certsvc
net start certsvc
The command will tell you the old value and then change to the new value.
