Skip to main content

Create the Digital Signature certificate template

  1. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Certification Authority.

  2. Click your Certificate Authority to expand the root folder.

    Root Folder

  3. To set the user permissions, right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.

    Certificate Templates Console

  4. Scroll the template list, right-click the PIV - PIV Authentication template and select Duplicate Template. The Properties of New Template dialog box appears.

    Piv Digital Signature

  5. Click the General tab, and configure the following settings:

    1. In the Template display name field, enter PIV - Digital Signature. The Template name field is filled in automatically with the template display name (with no spaces).
    2. Optional. Select Publish certificate in Active Directory.

  6. Click the Request Handling tab.

  7. From the Purpose drop-down list, select Signature.

    When asked to confirm the change, click Yes.

    Request Handling Confirmation

  8. Click the Extensions tab.

  9. Select Application Policies, and then click Edit. The Edit Application Policies Extension dialog box appears.

  10. Add the Secure Email policy to the list of application policies, as follows:

    1. On the Edit Application Policies Extension dialog box, click Add. The Add Application Policy dialog box appears.
    2. Scroll the Application policies list and select Secure Email, and then click OK.
    3. On the Edit Application Policies Extension dialog box, remove the application policies that are not required.
    4. Select Any Purpose and click Remove.
    5. Select Client Authentication and click Remove.
    6. Select Smart Card Logon and click Remove.
    7. Click OK to close the dialog box.

  11. In the Extensions tab, select Issuance Policies and then click Edit. The Edit Issuance Policies dialog box appears.

    1. Select id-fpki-common-authentication and then click Remove.
    2. Click OK.

  12. If you selected to Publish certificate in Active Directory, complete the following:

    1. Click the Issuance Requirements tab.
    2. Select The number of authorized signatures and enter 1 in the text box.
    3. From the Policy type required in signature drop-down list, select Application policy.
    4. From the Application policy drop-down list, select Certificate Request Agent.

  13. Click OK to close the open dialog boxes to return to the Certificate Templates Console.

    The PIV - Digital Certificate certificate template is added to the list of templates.