Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.
In the following, this function is described in more detail, as well as possible effects in practice.
For an overview of which options become available when changing each compatibility setting, see the article "Overview of the availability of options when changing the compatibility settings of a certificate template„.
The compatibility settings are available as a bitmask in the attribute msPKI private key flag mapped in the certificate template.
The msPKI private key flag two subordinate attributes:
- CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT
- CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT
Possible values for CTPRIVATEKEY_FLAG_SERVERVERSION_SHIFT
| Operating system | Flag | Value |
|---|---|---|
| Default setting | TEMPLATE_SERVER_VER_NONE | 0 |
| Windows Server 2003 | TEMPLATE_SERVER_VER_2003 | 10000 (65536) |
| Windows Server 2008 | TEMPLATE_SERVER_VER_2008 | 20000 (131072) |
| Windows Server 2008 R2 | TEMPLATE_SERVER_VER_2008R2 | 30000 (196608) |
| Windows Server 2012 | TEMPLATE_SERVER_VER_WIN8 | 40000 (262144) |
| Windows Server 2012 R2 | TEMPLATE_SERVER_VER_WINBLUE | 50000 (327680) |
| Windows Server 2016 | TEMPLATE_SERVER_VER_THRESHOLD | 60000 (393216) |
Possible values for CTPRIVATEKEY_FLAG_CLIENTVERSION_SHIFT
| Operating system | Flag | Value |
|---|---|---|
| Default setting | EMPLATE_CLIENT_VER_NONE | 0 |
| Windows XP | TEMPLATE_CLIENT_VER_XP | 1000000 (16777216) |
| Windows Vista | TEMPLATE_CLIENT_VER_VISTA | 2000000 (33554432) |
| Windows 7 | TEMPLATE_CLIENT_VER_WIN7 | 3000000 (50331648) |
| Windows 8 | TEMPLATE_CLIENT_VER_WIN8 | 4000000 (67108864) |
| Windows 8.1 | TEMPLATE_CLIENT_VER_WINBLUE | 5000000 (83886080) |
| Windows 10 | TEMPLATE_CLIENT_VER_THRESHOLD | 6000000 (100663296) |
Query the attribute for a certificate template
The following command line command can be used to query the values currently configured for a certificate template for the two flags:
certutil -v -template {name-of-template} | findstr VERSION_SHIFT
The template name corresponds to the Active Directory object name, not the display name.
Alternatively, it is also possible to use the msPKI private key flag directly on the pKICertificateTemplate object in the Active Directory.
certutil -v -ds "{DN-of-template-object}"
Example:
certutil -v -ds "CN=ADCSLaboratoryUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=intra,DC=adcslabor,DC=de"
If you check directly after a change to the certificate template, you should refresh the client-side cache with certutil -pulse to get the latest information.
English 
Deutsch
3 thoughts on “Wie sind die Kompatibilitätseinstellungen für Zertifikatvorlagen technisch abgebildet?”
Comments are closed.