I'm playing around with Windows Server 2003's Certificate Services in preparation for upgrading our Windows 2000 Certification Authorities (CAs). I've noticed many new certificate templates in the Windows 2003 Microsoft Management Console (MMC) Certificate Templates snap-in, but I can't enable them. When I open the MMC Certification Authority snap-in, right-click the Certificate Templates folder, then click New, Certificate Template to Issue, I see only a subset of the templates that are available in the Certificate Templates snap-in. Where are the rest of the templates, and why can't I issue them from this CA?

Evidently you're testing Windows 2003, Standard Edition or Windows 2003, Web Edition. Microsoft significantly enhanced certificate templates in Windows 2003 but in effect charges a premium to use that functionality by enabling it only for Windows 2003, Enterprise Edition and Windows 2003 Datacenter Edition.

Windows 2003 offers several new certificate templates that give you more versatility and finer control over the properties that constitute a certificate. Moreover, you can duplicate the default certificate templates and customize them to your needs. For example, you can control the intended purposes (e.g., Server Authentication, Client Authentication, encryption, digital signature) for certificates issued by a given template. You can also control the issuance policy for each template to allow some templates to be issued automatically without CA administrator approval whereas other templates require administrator authorization.

Windows 2003 also includes a new feature called Autoenrollment. Traditionally, when you wanted to deploy a certain type of certificate to a set of users or computers, you had to configure one or more Group Policy Objects (GPOs) in Active Directory (AD) with an Automatic Certificate Request setting (under Computer Configuration\Windows Settings\Security Settings\Public Key Policies in any GPO) that directed the users or computers to request a certificate according to the associated template. With Autoenrollment, you can simply add the desired template to your CA's Certificate Templates folder. After you do so, the ACL will automatically request the new certificate for all computers and users who have Enroll permission on the templates--you don't need to configure Group Policy.

To control which computers or users will request the certificate template, simply open the Certificate Templates snap-in, then open the desired template's Properties page. Click the Security tab and grant Enroll permission to the user accounts or computers that you want to enroll. If you check the Certificate Templates snap-in's Minimum Supported CAs column, you'll notice that certificates that support customization and Autoenrollment can be issued only by Windows 2003 Enterprise or Windows 2003 Datacenter CAs. You can issue all other certificates from Win2K and later servers. You'll also notice that Autoenrollment works only for new clients, such as Windows 2003 and Windows XP clients.