How to create and publish new certificate templates in Server 2003 CA


We are a small shop and only issue a few certificates from our CA. I would like to create a new template (in this example) for code signing that has a longer expiration period.

I can get the new template created, but cannot get it to show as a usable template.

Here is what I did...

- Opened the CA MMC and opened the Certificate Templates folder. A template already exists for Code Signing that we already use.
- I right-clicked in that window and chose "Manage" which brought me to a list of all the templates.
- I duplicated the Code Signing template and named it "Code Signing new."
- On the new template, I copied the settings the best I could from the original, while extending the life to 10 years.
- I saved the template and went back to the CA MMC. The new template does not show as available for me to choose.
- When I go back to the manage screen, I see both the original and new templates, but there are some differences: The original template has an icon that is black and white, while the new one is in color. The old cert says version 3.1, while the new one is version 100.4. The old cert has auto enroll not allowed, while the new one is allowed.

So, how do I make my new template usable? Do I need to superced the original? If so, will that do any harm to certs created from the original cert? I will also need to do this for some web server certificate templates we use as well.

Any and all help is greatly appreciated!

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Senniger1Author Commented:
I found many references to Server 2003 Standard edition not being able to publish these. I do have Enterprise 2003 servers, can they create and publish these certs? Or does it have to come from the CA, which is 2003 standard?

You are right, yes. The problem is the Windows 2003 Std Edition.

If you configure a SubCA on one of the Enterprise servers then you should be able to create custom templates there, yes.

No, you don't need to superceed the original templates, you can just add the custom ones and it should have no impact on the certs already issued.
Senniger1Author Commented:
Thanks for the info. Is creating a subCA an easy task?
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Well, it is not that difficult in my eyes. You just install the certificate services and during install you select to install a Sub CA instead of a Root CA.

Take a look here:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senniger1Author Commented:
Still working on this.  I'll be in touch.
Ok, good luck.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.