We help IT Professionals succeed at work.

How to create and publish new certificate templates in Server 2003 CA


We are a small shop and only issue a few certificates from our CA. I would like to create a new template (in this example) for code signing that has a longer expiration period.

I can get the new template created, but cannot get it to show as a usable template.

Here is what I did...

- Opened the CA MMC and opened the Certificate Templates folder. A template already exists for Code Signing that we already use.
- I right-clicked in that window and chose "Manage" which brought me to a list of all the templates.
- I duplicated the Code Signing template and named it "Code Signing new."
- On the new template, I copied the settings the best I could from the original, while extending the life to 10 years.
- I saved the template and went back to the CA MMC. The new template does not show as available for me to choose.
- When I go back to the manage screen, I see both the original and new templates, but there are some differences: The original template has an icon that is black and white, while the new one is in color. The old cert says version 3.1, while the new one is version 100.4. The old cert has auto enroll not allowed, while the new one is allowed.

So, how do I make my new template usable? Do I need to superced the original? If so, will that do any harm to certs created from the original cert? I will also need to do this for some web server certificate templates we use as well.

Any and all help is greatly appreciated!

Watch Question


I found many references to Server 2003 Standard edition not being able to publish these. I do have Enterprise 2003 servers, can they create and publish these certs? Or does it have to come from the CA, which is 2003 standard?

You are right, yes. The problem is the Windows 2003 Std Edition.

If you configure a SubCA on one of the Enterprise servers then you should be able to create custom templates there, yes.

No, you don't need to superceed the original templates, you can just add the custom ones and it should have no impact on the certs already issued.


Thanks for the info. Is creating a subCA an easy task?
Well, it is not that difficult in my eyes. You just install the certificate services and during install you select to install a Sub CA instead of a Root CA.

Take a look here:


Still working on this.  I'll be in touch.
Ok, good luck.