Windows 2012 Certificate Templates

I am having a hard time understanding the difference between each of the certificate templates and the whole idea of CA's in general.

1) I understand how private / public keys works. but when a workstation is set to auto-enroll on cert, is the public or private key stored on the server.

2) What is the difference between a workstation and server certificate since both seem to offer mutual authentication.

3) What makes a Web server cert differ from a server, workstation or any other cert.
LVL 20
Who is Participating?
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
A web server cert is a certificate that is local to the web server but also might have additional names assocaited with it for the URL of the web site it is hosting. The certificate validates that name of the URL is hosted by the appropriate server.

You can have multiple web certs on a single server if you are hosting several different Web sites with different sub domains.

A server cert is stright authentication based on the name of the server you are authenticating to.

Applications are capable of generating certs (some apps are different than others) but with an internal CA you can create different certificate templates which can assiciate to different server types or specific applications. This all depends on how you layout your internal PKI architecture.

Private certs are located in the User profile directory in an encrypted format which reside on the workstation. If you are using roaming profiles you can have the DC's hold the cert and push it down to the workstation as the user logs in.

The certs are locaated in the Certicate Personal Store either in the Computer or User container. With other services that use certificates like (ADDS) they are located in the services container which are then accessible from the domain.

MaheshConnect With a Mentor ArchitectCommented:
To answer your questions:
When you use Autoenrollment, certificate private key can be stored on CA server only if certificate template is set for key archival and if you set key recovery agent. You can find that option in certificate template properties. For Ex:EFS certificate.

Other wise certificate public key is stored on CA server and if you set template to publish certificate in AD, then AD also store certificates public key.
Basically public key is designed to distribute without problem to anybody.
The private key never leaves the originating device (from where you generate request) and only certificate public key is sent to CA server for signing and to get certificate as a output.
Its different story where you can export cert with private key and import on another computer.

Although client certificates and SSL server certificates both use certificates, they are not directly related to each other. SSL server certificates provide encryption and security functionality. Client certificates provide user authentication functionality. The client certificate identifies the user, the server certificate identifies the server. SSL server certificates provide encryption and security functionality

A "SSL Certificate" is a X.509 Certificate with Extended Key Usage: Server Authentication (
Other "common" types of X.509 certs are with Extended Key Usage: Client Authentication (, Client certificates are enrolled for user (computer is also a user).

If you try to import client cert on IIS 7 /7.5 you will receive error.
When client certificate and server certificate both mutually validate each other then only secure communication can be established.

If you look at the server certificate general tab, you will find Ensures the identity of a remote computer
If you look at the client certificate general tab, you will find Proves your identity to a remote computer

However you can build your custom certificate request from certificate MMC console of server computer to include server authentication and client authentication as Extended key usage.
This certificate can be used as client authentication and server authentication as well and can be used on clients and server as well.
Since client computers do not have any web sites \ programs running, it not required on clients.
This type of cert is useful when server applications need to authenticate to other servers as a client.
If you're never using the server certificate as a client , you won't need the Client Authentication OID on server cert.

Workstation authentication certs are same as client authentication certificate

Check below articles for more details

Lastly, whatever cryptographic programming (Core Programming) done for these two types of certificates so that they can distinguished each other to work correctly is the beyond the scope of this question and my skill set as well.
Only cryptographic programmer can tell you exactly what logic \ program could make that happens but you won't be able understand that unless you are also having cryptographic programming knowledge
Hence its better to understand difference between two logically and with their functionality and usage

Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Answers are below...
1. Private Keys are stored on the workstation under the users profile file in an encrypted format. If you are using Roaming profiles the private key is stored on the domain controllers. If you are implementing a internal Exterprise PKI it is highly recommended that you use a "Key Recovery Agent" because if the users profile is damaged or corrupt or if you move the location where the private key is stored you cannot recover the users profile data.

Key Recovery Agent is an account that has access to export the private key in your domain so that you have a method to restore them if needed.

2. Server/Workstation certicate as you have stated they basically perform the same authentication mechinisum. This type can be a one-to-one or one-to-many, depending on the certificate itself.

3. Web server certificates are to authenticate and validate HTTP/HTTPS sites. Servers that host these certificates are servers that are hosting Web services like IIS. Client/Server certificates are computer based certifiactes that authenticate the computer on the domain.

compdigit44Author Commented:
Thanks for the great responses, let me make sure I am understanding everything correctly.

1) The private certs never leave the workstation..

2) The workstation and client certificate are one in the same correct? both dealing with "device" authentication.

3) What makes a web server cert differ from a server cert is that it is for a particular service.. Is this. I am still having a hard time understanding the difference between server and webserver certs.

Also, if you have an application that makes certificate requests on-behalf of users connecting to the app, how do the certs for the users get published? Are the certs from the app or internal domain CA????
MaheshConnect With a Mentor ArchitectCommented:
Ther is no such concept as server certificate, its server authentication certificate with (Extended Key Usage (EKU): Server Authentication (
Any certificate that having above EKU is capable of providing encryption and security.
The SSL certificate on the server proves against client computer that it is indeed from the server that client is accessing  may be through URL \ application.

Any certificate installed on server class computer with Extended Key Usage (EKU) other than server authentication is typically client certificate or for some else depending upon its EKU \ use.
If you install web server SSL cert on client computer having IIS installed, its still server authentication certificate as long as EKU is Server Authentication (

If you look at typical usage of web server SSL certificate (server authentication certificate), its not mandatory to have client authentication certificates installed on client computers because its simply working on the priciple of public key (Asymmetric cryptography

In that case wired traffic encryption is expected from client computer.
For Ex:
You use browser to login gmail.
In that case gmail sends you public key of its own cert.
You enter username and password and encrypt that with gmail public key and send to gmail.
Since gmail has corrusponding private key, its able to decrypt that username and password and authenticate if its correct.
This will ensures that authentication request is came from the computer indeed who wants to use gmail (Ensures the identity of a remote computer)

However you can configure web server to set "Require client certificate" if you wanted to validate computers and user identitiy both with the help of certificate.
In that case both client and server both mutually validate each other.
The SSL certificate on the server proves against client certificate that it is indeed from the server that client is accessing  may be through URL \ application.
And client authenticates itself against SSL cert to prove that it is the client \ user indeed mentioned in client certificate to whom server is \ wants to communicate.

yes workstation and client authentication certificates are same since both certs EKU is same - Client Authentication (

Also you cannot use multiple SSL certificates on single server unless you don't have multiple IP addresses, one for each SSL certificate.
Because one SSL cert can be bind to one IP at a time.
Also you cannot bind multiple SSL certificate to IIS default instance \ single web site
If you have multiple DNS hostnames pointing to same IIS web site, then you must use SAN certificate or wildcard certificate depending upon DNS hostnames

Also you can integrate your application to request cert from internal CA on behalf of user, but this will require extra coding \ programming.
Best option is to redirect user from application interface to CA server web based interface so that user can request certificate from CA and also it can be installed on client computer
In this case cryptographic operation takes place on client computer rather than CA server to generate certificate
However you can program your application to request certificate from CA on behalf of user and provide user option to install it on client computer
This is up to you, how you want to configure.
You may use certificate autoenrollment AD feature by creating custom certificate template
as per your needs if you have AD integrated CA and if you don't want to write special code in application.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.