Certificate templates let you specify the types of certificates that users or computers can request from your Certificate Authority (CA). A certificate template limits the purposes (e.g., email, smart card logon, Windows 2000 Encrypting File System—EFS—IP Security—IPSec) for which you can use certificates that you base on that template. You can also edit a template's ACL to restrict the users or computers who can request certificates based on the template. Because the users, computers, and CA are all part of a Win2K Active Directory (AD) forest, the CA can rely on Kerberos to identify and authenticate the users or computers who make certificate requests, thereby enforcing the certificate template’s ACL.

You can use Group Policy to configure authorized computers to automatically request a certificate from the CA according to the IPSEC certificate template. That way, only those computers can obtain a certificate from the CA and use that certificate to authenticate and communicate with a specified server through IPSec.