Creating custom certificate templates in 2K3 Issuing CA

DJM2009 used Ask the Experts™
Hi Everyone,

I am currently trying to find out whether it is possible to create a truely custom certificate template using windows 2003 32bit certificate services and not just duplicate an existing template. The reason being that the options with which we can build the SubjectName field with our current certificate template duplicates is not necessarily what we want.We have attempted CommonName , but due to some specific changes we had to make to our AD , the way the CN is automatically built is not want want in our certificate SubjectName field.

I was wondering whether you ONLY have the option of duplicating and modding the existing templates available on a windows 2003 certificate authority or whether you can literally create a custom one and import or push it into the template storage on a domain joined Issuing CA.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Certificates have a specific format to be universally recognized.  If you were to customize them outside the options, the certificate will be useless.

What are the alterations that you want to make and what is the purpose for the change?
I.e. I want my certificate to include a picture. A story, etc.  Even if those were possible, they are useless for the establishing the secure connection or to have the application run without a warning that the application is unsigned.
Are you also creating an application that would access the data in the certificate you want to add?
i.e. your application will access your web site with your certificate and the application on the web server will access the personal certificate your web client provides and will display your picture as the visitor to the site?


As an example if the SubjectName to be populated by the CN,and lets say it comes out as "Full name - departmentname,buildingnumber" but your web app or any app in general cannot deal with the fact you have a funky subjectname with spaces,hyphons or the fact that your Full name does not populate the subjectname field on its own. Could I then create a self customised certificate template that includes a subjectname that is populated by a custom attribute, "full name only" for instance.
IN other words a subjectname field not populated by the default options that MS 2003 certificate services comes with in its templates.

Does that demonstrate any better ?
Distinguished Expert 2017
The validity of the certificate is not through looking who submitted the certificate.  The certificate validation is done through whether the signer of a certificate is trusted.

Do you have an application that retrieves a certificate and then extracts the information you mentioned? To what end?

What you seem to be doing is lets say my complete name can not fit on a regular drivers license.
i.e. name name1 name2 name3 name4 name5 name6. usually I would have two use a "given name" and family/last name.  I decided that is not what I want and the DMV created a special longer format license (three times as long so that my name could fit.  How many will except that license card as valid? or better said how much time will I need to spend explaining why it is valid?)

I think what you can do is customize what information is added/inserted into the templates data fields.
Cryptographic Engineer
In order to create a template you must duplicate an existing one - I have not seen any way around that, however you can modify everything before you save it so that it no longer looks at all like the original template.  

You can customize the template in a great many ways, but there are limitations.  I believe that what you are looking for is on the Subject Name tab of the template and changing the dot for what you want, you may need to go with 'supply in request'.  You can add what you like to the subject name, and if you need more than what is defined within the certificate request then you can add it manually to the SAN.

If you need to control it better than that, then you would probably be best off with creating a .net framework app to perform the certificate request, which you can use to parse or analyze the data being entered to submit to the CA.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial