Configuring a Certificate Template for Domain Controllers

Even with a certificate template for domain controllers that is supposedly simple to configure, there are a few things to keep in mind.

The certificate template should always start from the "Kerberos Authentication" certificate template.

Only the Kerberos Authentcation certificate template contains the CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS flag, which ensures that the domain name is entered in the Subject Alternative Name (SAN) extension of the issued certificate. See also article "Certificates for domain controllers do not contain the domain name in the Subject Alternative Name (SAN)„.

Certificate template configuration

General" tab

A meaningful name is assigned to the certificate template in the "General" tab. A naming convention should be used here to simplify later administration.

Cryptography" index card

The default settings can be left here. Even if elliptic curves via Key Storage Provider (KSP) can be used for the Active Directory domain services, this does not apply to the Active Directory Web Services (ADWS), which only support Cryptographic Service Provider.

It is therefore recommended to use the RSA algorithm with at least 3072 bit key length and to use a Cryptographic Service Provider.

Superseded Templates Tab

The Superseded Templates tab is where all the default certificate templates for domain controllers are entered, as well as any custom previous certificate templates. The default certificate templates for domain controllers are:

  • Domain controller
  • Domain Controller Authentication
  • Kerberos Authentication

See also article "Overview of the different generations of domain controller certificates„.

Extensions" tab

The "Application Policies" extension is being edited.

The following entries should always be removed:

  • Client Authentication
  • Smart Card Logon

Should it come to the issuance of forged domain controller certificates (e.g. through an NTLM relay attack or through Falsifying a corresponding account), the certificates cannot be used for a PKINIT logon on behalf of the domain controller (which could otherwise result in the Active Directory being compromised).

If you do not want to use PKINIT (also known as Smartcard Logon) across the enterprise, it is also recommended to remove the Extended Key Usage for "KDC" Authentication from the certificate template so that the domain controllers basically cannot process such logons.

If forged user certificates are issued (e.g. due to too extensive permissions on a certificate template, a insecurely configured certification authority or even their compromise), it is then not possible to log in with them (which could otherwise result in the Active Directory being compromised).

See also article "Attack vector on Active Directory directory service via smartcard logon mechanism„.

Subject Name" tab

The option is described in the article "About the "Build this from Active Directory information" option for certificate templates" described in more detail.

For compatibility reasons, it is recommended to set the "Subject Name" tab so that the subject of the issued certificates is filled with the server name of the domain controller ("Common Name" option).

By default, the subject will be empty, which is absolutely compliant with RFC 4514.

The client determines the type (e.g., DNS name or IP address) of the reference identity and performs a comparison between the reference identity and each subjectAltName value of the corresponding type until a match is produced.

RFC 4513 - Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms

The server's identity may also be verified by comparing the reference identity to the Common Name (CN) [RFC4519] value in the leaf Relative Distinguished Name (RDN) of the subjectName field of the server's certificate. [...] Although the use of the Common Name value is existing practice, it is deprecated, and Certification Authorities are encouraged to provide subjectAltName values instead.

RFC 4513 - Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms

However, applications that do not conform to this RFC (and such applications do exist in practice) will not be able to process the certificate.

If a subject is filled with the server name of the domain controller, and the application is compliant with RFC 4513, the subject is ignored anyway, so there is no disadvantage.

Security" tab

In the "Security" tab, it is important to ensure that only authorized persons can use the certificate template. edit can.

The rights for the certificate request can be taken from the underlying "Kerberos Authentication" certificate template.

Related links:

External sources