Skip to main content

Create the PIV - Content Signer (device) certificate template

  1. On the Microsoft CA machine, go to Tools and select Certification Authority.

  2. Click your Certificate Authority to expand the root folder.

    Root Folder

  3. To set the user permissions, right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.

    Certificate Templates Console

  4. Scroll the template list, right-click the PIV - PIV Authentication template and select Duplicate Template. The Properties of New Template dialog box appears.

    Piv Content Signer

  5. Click the General tab, and configure the following settings:

    1.  In the Template display name field, enter PIV - Content Signer (device). The Template name field is filled in automatically with the template display name (with no spaces).
    2.  Deselect Publish certificate in Active Directory.

  6. Click the Request Handling tab, and do the following:

    Piv Content Signer Request Handling

    1. From the Purpose drop-down list, select Signature.

      When asked to confirm the change, click Yes.

      Request Handling Confirmation

    2. Select Allow Private Key to be exported.

    3. Select Enroll subject without requiring any user input under "Do the following when the subject is enrolled and when the private key associated with this certificate is used."

  7. Click the Issuance Requirements tab, and do the following:

    Issuance Requirements

    1. Select This is the number of authorized signatures and enter 1 in the text box.
    2. From the Policy Type required signature drop-down list, select Application policy.
    3. From the Application Policy drop-down list, select Certificate Request Agent.

  8. Click the Subject Name tab, and do the following:

    Piv Content Signer Subject Name

    1. Select Build from this Active Directory information.
    2. Select Fully Distinguished Name from the Subject name format drop-down list.
    3. Select the User principal name (UPN) check box.

  9. Click the Extensions tab and do the following:

    Piv Content Signer Extensions

    1. Select Application Policies, and then click Edit. The Edit Application Policies Extension dialog box appears.
    2. Add the PIV Content Signing object identifier (PID) as follows:
      1. On the Edit Application Policies Extension dialog box, click Add. The Add Application Policy dialog box appears.
      2. Click New. The New Application Policy dialog box appears.
      3. In the Name field, enter PIV Content Signing.
      4. In the Object Identifier field, enter 2.16.840.1.101.3.6.7
      5. Click OK.
      6. Click OK again to return to the Edit Application Policies Extension dialog box.
    3. On the Edit Application Policies Extension dialog box, remove the application policies that are not required.
      1. Select Client Authentication and click Remove.
      2. Select Smart Card Logon and click Remove.
      3. Click OK to close the dialog box.
    4. Select Issuance Policies and then click Edit. The Edit Issuance Policies dialog box appears.
      1. On the Edit Issuance Policies dialog box, select id-fpki-common-authentication and then click Remove.
      2. Click OK to close the dialog box.

  10. Click the Security tab and under Permissions for Authenticated Users reduce the permissions to no more than Read.

  11. Add the <domain_user> and select Read and Enroll.

  12. Review the permissions for other users and groups in the list to make sure they follow your corporate access policy.

  13. Click OK to close the Properties dialog box. The PIV - PIV Content Signer certificate template is added to the list of templates.