Certifikáty pro Domain Controllery

Výborný článek popisující různé varianty šablon pro certifikáty doménových řadičů.

https://morgansimonsen.wordpress.com/2013/06/25/active-directory-domain-controllers-and-certificate-auto-enrollment 

 

Domain Controller related certificate templates

Domain controllers are interested in the following certificate templates, but depending on the DCs operating system version and the CA’s OS version it depends on what they prefer:

Name Description Key Usage Subject Type Applications used for enhanced key usage Application policies or enhanced key usage
Domain Controller Used by domain controllers as all-purpose certificates and is superseded by two separate templates: Domain Controller Authentication and Directory E-mail Replication Signature and encryption DirEmailRep Client authentication
Server authentication
4.1
Domain Controller Authentication Used to authenticate Active Directory computers and users Signature and encryption Computer Client authentication
Server authentication
Smart card logon
110.0
Directory E-mail Replication Used to replicate e-mail within AD DS Signature and encryption DirEmailRep Directory service e-mail replication 115.0
Kerberos Authentication New in Windows Server 2008, this template is similar to the Domain Controller Authentication template and offers enhanced security capabilities for Windows Server 2008 domain controllers authenticating Active Directory users and computers Signature and encryption Computer Client authentication
Server authentication
Smart card logon
KDC authentication
110.0

 

Domain Controller Windows2000 Server-based CA (version 1 only) Windows Server 2003-based CA Windows Server 2008-based CA
Windows 2000 Server (enroll for version 1 templates only) Domain Controller Domain Controller Domain Controller
Windows Server 2003 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication or Domain Controller Authentication
Directory E-mail Replication
Windows Server2008 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication
Directory E-mail Replication
Windows Server 2012 Domain Controller Domain Controller
or
Domain Controller Authentication
Directory E-mail Replication
Kerberos Authentication
Directory E-mail Replication

 

Template name Windows 2000 Server Windows Server 2003 Windows Server 2008/2012
Directory E-mail Replication X
Domain Controller X X X
Domain Controller Authentication X
Kerberos Authentication X