DonatShell
Server IP : 180.180.241.3  /  Your IP : 216.73.216.252
Web Server : Microsoft-IIS/7.5
System : Windows NT NETWORK-NHRC 6.1 build 7601 (Windows Server 2008 R2 Standard Edition Service Pack 1) i586
User : IUSR ( 0)
PHP Version : 5.3.28
Disable Function : NONE
MySQL : ON  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /Windows/Help/Windows/en-US/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :

[ HOME SHELL ]     

Current File : /Windows/Help/Windows/en-US/certtmpl.h1s
MZ@PEL!@04S@.rsrc@@.its @@0	HX||4VS_VERSION_INFOStringFileInfo040904b0b!FileVersion1.00.00                         l"FileDescriptionCompiled Microsoft Help 2.0 TitleBFileStamp8495A99901CA041F4JCompilerVersion2.5.71210.08579VCompileDate2009-07-14T01:07:54      >TopicCount74000000000000ALegalCopyright 2005 Microsoft Corporation. All rights reserved.CCCCCCCCCCCCCDVarFileInfo$Translation	tiJ*GPITOLITLS(X쌡^
V`   x PCAOLPHHC ITSF #1	-Y쌡^
VY쌡^
VIFCMAOLLPIFCM AOLL//$FXFtiAttribute//$FXFtiAttribute/BTREEB/$FXFtiAttribute/DATA/$FXFtiAttribute/PROPERTYZN/$FXFtiMain//$FXFtiMain/BTREE-/$FXFtiMain/DATAE//$FXFtiMain/PROPERTYtN/$Index/$ATTRNAME(\/$Index/$PROPBAGn/$Index/$STRINGSh:/$Index/$SYSTEMT
/$Index/$TOC//$Index/$TOC/$certtmpl"/$Index/$TOPICATTR(/$Index/$TOPICSj0/$Index/$URLSTR"x/$Index/$URLTBLP/$Index/$VTAIDX\/$Index/AssetId//$Index/AssetId/$BL0`/$Index/AssetId/$LEAF_COUNTS`/$Index/AssetId/$LEAVESh	/$OBJINST"/assets/0/assets/0749af8d-c195-49b8-96f6-3a9a6568b520.xmltI0/assets/08bab27e-830a-4153-bf33-271dce69f99b.xml=z0/assets/0acbd7fe-62b1-4aba-9cef-351e56075434.xml7!0/assets/0eb289d1-2df5-47d3-a2be-ba231daa9858.xmlXK0/assets/1134786d-baae-47e7-ab30-286e21b180d2.xml#0/assets/194c4281-a5bf-4be1-9e4e-61f7b500066e.xml50/assets/1b15e7e5-3a77-4817-9bcc-f327cd777716.xmlKV0/assets/1da52796-c5ad-439f-af38-9818e26fe356.xml!:0/assets/1ddf06ed-615d-4e24-ba43-468fb0da6c13.xml[0/assets/3510bd12-b297-40ab-b1f8-af72de3531a9.xmltl0/assets/39b97b49-7fea-4d13-a031-749165f26783.xml`40/assets/3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed.xmlt0/assets/461a7e73-4910-4108-81c3-4a21a3c9a895.xml10/assets/4a9be825-e97d-4b0c-8b7b-a1f74a816619.xml9(0/assets/534a3eb2-05ea-470e-a4af-047927eabe14.xmla30/assets/5e47ee01-62f0-4033-8d21-c02b2bb32781.xml>0/assets/625a2bc3-73c5-4084-b78d-c37ac00f96ae.xmlR40/assets/6269c006-a8c8-409b-922b-3c3ba0e20bb7.xmlu0/assets/646333b2-67c9-4e22-8cbc-be44a5e4bcc5.xml{80/assets/6d7cdf83-35a0-446a-aaaf-4f48dff43379.xml3:0/assets/831d299b-4f8f-4d9c-9d43-15c6b6cc93ea.xmlm0/assets/85e1436e-4c52-489a-93a2-6603f1abadf7.xmlqc0/assets/8a274218-b04e-4b50-b966-e050f6a4c04c.xmlT0/assets/8a4b5b45-3723-4f22-a487-a52dd95d7a65.xmlVU0/assets/8c050288-46c9-4991-a6ab-df3ef8de0535.xml+%0/assets/96dd619c-78c6-4be5-930b-eef928720262.xmlP0/assets/9b9063e6-0cb3-40ce-9217-cfa19426c6b0.xml[c0/assets/a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612.xml>R0/assets/acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b.xml0/assets/b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415.xml$0/assets/b493c46c-97d8-4dac-9144-33648f3499cb.xml*.0/assets/bdcffb35-6560-4cf6-8cb8-8281910dabb4.xmlXH0/assets/c3077a44-da11-4b06-a2dc-599c7251f6e3.xml E0/assets/c651f8cf-5c84-42c0-9a61-37e0000e6989.xmle50/assets/e236f324-c343-4efa-8728-aa97626a452c.xmlU0/assets/e6868771-654b-44fd-9853-7cbdd9174f47.xmlo0/assets/f6d90c10-d921-4f70-8a02-f3e525efa7b3.xmln0/assets/fabc1c44-f2a2-43e1-b52e-9b12a1f19a33.xmlu
/certtmpl.h1cx

/certtmpl.H1F(
/certtmpl.H1T(?
/certtmpl.H1V*~/certtmpl_AssetId.H1Kgk/certtmpl_BestBet.H1KRk/certtmpl_LinkTerm.H1K=l/certtmpl_SubjectTerm.H1K)o::DataSpace/NameList<(::DataSpace/Storage/MSCompressed/Content<,::DataSpace/Storage/MSCompressed/ControlDataT )::DataSpace/Storage/MSCompressed/SpanInfoL/::DataSpace/Storage/MSCompressed/Transform/List<_::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/i::DataSpace/Storage/MSCompressed/Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/InstanceData/ResetTableTX3::Transform/{8CEC5846-07A1-11D9-B15E-000D56BFE6EE}/

	s`M:'CSpPUncompressedMSCompressedFX쌡^
VpLZXCHH<maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Allow Subjects to Request a Certificate Based on a Template</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Users can obtain certificates as needed by using the Certificate Request Wizard to request a certificate based on a certificate template. Before they can do this, you must enable the certificate template for these operations.</maml:para>

<maml:para>To properly configure subject enrollment, the administrator must plan the appropriate certificate template or templates to use. Several settings in the certificate template directly affect the behavior of certificate enrollment. For more information on these settings, see:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuance Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=0acbd7fe-62b1-4aba-9cef-351e56075434"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Application Policy</maml:linkText><maml:uri href="mshelp://windows/?id=b493c46c-97d8-4dac-9144-33648f3499cb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Key Usage</maml:linkText><maml:uri href="mshelp://windows/?id=534a3eb2-05ea-470e-a4af-047927eabe14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Supersede Templates</maml:linkText><maml:uri href="mshelp://windows/?id=08bab27e-830a-4153-bf33-271dce69f99b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To allow subjects to request a certificate that is based on a template</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Security</maml:ui> tab, add the groups, computers, or users from which you want to allow certificate requests.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Group or user names</maml:ui>, click one of the new objects, and then, on <maml:ui>Permissions for ObjectName</maml:ui>, under the <maml:ui>Allow</maml:ui> column, select the <maml:ui>Read </maml:ui>and<maml:ui> Enroll</maml:ui> check boxes.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Repeat the previous step for each new object.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuing Certificates Based on Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=1ddf06ed-615d-4e24-ba43-468fb0da6c13"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Supersede Templates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>There may be times when you want to modify the properties of a type of certificate that has already been issued to clients. You can do this by creating an updated certificate template for that certificate purpose and specifying that you want subjects of certificates based on the old template to obtain new certificates based on the new template. This procedure forces subjects to obtain a new certificate before the renewal date specified in the original certificate template.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To supersede templates</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties. </maml:ui></maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the<maml:ui> Superseded Templates </maml:ui>tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click<maml:ui> Add.</maml:ui></maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click one or more templates to supersede, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Make any other changes to the template that you want to include, and click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Issuance Requirements</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A certification authority (CA) processes each certificate request by using a defined set of rules. The CA may issue some certificates with no proof of identification and require proof of identification before other types of certificates are issued. This provides different levels of assurance for different certificates. These levels of assurance are represented in certificates as issuance policies.</maml:para>

<maml:para>An issuance policy (also known as an enrollment or certificate policy) is a group of administrative rules that are implemented when issuing certificates. They are represented in a certificate by an object identifier (also known as an OID) that is defined at the CA. This object identifier is included in the issued certificate. When a subject presents its certificate, it can be examined by the target to verify the issuance policy, and determine if that level of issuance policy is sufficient to perform the requested action.</maml:para>

<maml:para>Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003 include four predefined issuance policies:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>All Issuance</maml:phrase> (2.5.29.32.0). The all issuance policy indicates that the issuance policy contains all other issuance policies. Typically, this object identifier is only assigned to CA certificates.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Low Assurance</maml:phrase> (1.3.6.1.4.1.311.21.8.<maml:replaceable>x.y.z.</maml:replaceable>1.400). The low assurance object identifier is used to represent certificates that are issued with no additional security requirements. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>The <maml:replaceable>x.y.z</maml:replaceable> portion of the object identifier is a randomly generated numeric sequence that is unique for each Active Directory forest.</maml:para>
</maml:alertSet>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Medium Assurance</maml:phrase> (1.3.6.1.4.1.311.21.8.<maml:replaceable>x.y.z.</maml:replaceable>1.401). The medium assurance object identifier is used to represent certificates that have additional security requirements for issuance. For example, a smart card certificate that is issued in a face-to-face meeting with a smart card issuer might be considered a medium assurance certificate and contain the medium assurance object identifier.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>High Assurance</maml:phrase> (1.3.6.1.4.1.311.21.8.<maml:replaceable>x.y.z.</maml:replaceable>1.402). The high assurance object identifier is used to represent certificates that are issued with the highest security. For example, the issuance of a key recovery agent certificate might require additional background checks and a digital signature from a designated approver because a person holding this certificate can recover private key material from an enterprise CA.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>In addition, you can create your own object identifiers to represent custom issuance policies.</maml:para>

<maml:para>When subjects submit certificate requests to a CA, the request can either be automatically approved or placed into a "pending" state. A pending state is normally used for certificates that require a higher level of assurance and consequently require more administration and further verification of the request. There are a number of settings that can configure the authentication and signature requirements for issuance certificates that are based on a template.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Setting</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>CA certificate manager approval</maml:para>
</maml:entry>
<maml:entry>
<maml:para>All certificates are placed into the pending container for a certificate manager to issue or deny.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>This number of authorized signatures</maml:para>
</maml:entry>
<maml:entry>
<maml:para>This setting requires the certificate request to be digitally signed by one or more subjects before it can be issued. This enables several other configuration parameters.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Policy type required in signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The signatures that are required for issuing a certificate must contain either a specific application policy, issuance policy, or both. This is how the CA determines whether the signature is appropriate for authorizing the issuance of the subject's certificate. This option is enabled when <maml:ui>This number of authorized signatures </maml:ui>is set.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Application policy</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the application policy to verify when signing a certificate request. This option is enabled when <maml:ui>Policy type required in signature </maml:ui>is set to either <maml:ui>Application policy</maml:ui> or <maml:ui>Both application and issuance policy</maml:ui>.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Issuance policy</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Specifies the issuance policies to verify when signing a certificate request. This option is enabled when <maml:ui>Policy type required in signature </maml:ui>is set to either <maml:ui>Issuance policy</maml:ui> or <maml:ui>Both application and issuance policy</maml:ui>.</maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>The ability to modify or create new application policies is available only with version 2 and version 3 certificate templates. For more information, see <maml:navigationLink><maml:linkText>Default Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=e6868771-654b-44fd-9853-7cbdd9174f47"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Clients must be re-enrolled to receive a certificate based on a modified template if they already have a valid certificate based on the previous template. For more information about re-enrolling clients, see <maml:navigationLink><maml:linkText>Re-Enroll All Certificate Holders</maml:linkText><maml:uri href="mshelp://windows/?id=6d7cdf83-35a0-446a-aaaf-4f48dff43379"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To modify an issuance policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the<maml:ui> Issuance Requirements</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Provide the requested information.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Extensions</maml:linkText><maml:uri href="mshelp://windows/?id=646333b2-67c9-4e22-8cbc-be44a5e4bcc5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Make Issuance or Application Policy Critical</maml:linkText><maml:uri href="mshelp://windows/?id=3510bd12-b297-40ab-b1f8-af72de3531a9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Cryptography</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The <maml:ui>Cryptography</maml:ui> tab is available for version 3 certificate templates. This tab replaces the cryptographic service provider (CSP) selection dialog box used to select CSPs for version 2 certificate templates. The <maml:ui>Cryptography</maml:ui> tab is used to configure the following properties:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Algorithm name</maml:ui>. Select an algorithm that the issued certificate's key pair will support. The list displays only algorithms that support the cryptographic operations required for the certificate purpose that is selected on the <maml:ui>Request Handling</maml:ui> tab. The following table describes the relationship between the certificate purpose and the available algorithms.</maml:para><maml:table>
<maml:tableHeader><maml:row><maml:entry><maml:para>Purpose</maml:para></maml:entry><maml:entry><maml:para>Algorithms</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para>Encryption</maml:para></maml:entry><maml:entry><maml:para>ECDH_P256<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDH_P384<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDH_P521<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />RSA</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para>Signature</maml:para></maml:entry><maml:entry><maml:para>DSA<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDSA_P256<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDSA_P384<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDSA_P521<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />RSA</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para>Signature and encryption</maml:para></maml:entry><maml:entry><maml:para>ECDH_P256<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDH_P384<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDH_P521<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />RSA</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para>Signature and smart card logon</maml:para></maml:entry><maml:entry><maml:para>ECDH_P256<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDH_P384<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />ECDH_P521<br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" />RSA</maml:para></maml:entry></maml:row>
</maml:table></maml:listItem>



<maml:listItem>
<maml:para><maml:ui>Minimum key size</maml:ui>. This option allows you to specify a minimum required size for the keys used with the chosen algorithm. By default, the minimum key length supported on the computer for the chosen algorithm will be used.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:ui>Providers</maml:ui>. Version 2 templates offer a list of CryptoAPI CSPs, while version 3 templates offer a dynamically populated list of Cryptography Next Generation (CNG) providers. This list is populated with all providers available on the computer that meet the criteria specified by a combination of the following configuration options: <maml:ui>Algorithm name</maml:ui> and <maml:ui>Minimum key size</maml:ui> on the <maml:ui>Cryptography</maml:ui> tab, and <maml:ui>Purpose</maml:ui> and <maml:ui>Allow private key to be exported</maml:ui> on the <maml:ui>Request Handling</maml:ui> tab.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:ui>Hash algorithm</maml:ui>. This option allows you to choose an advanced hash algorithm. By default, the following algorithms are available: AES-GMAC, MD2, MD4, MD5, SHA1, SHA256, SHA384, and SHA512.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:ui>Use alternate signature format</maml:ui>. When the RSA algorithm is selected, this check box allows you to specify that certificate requests created for this template include a discrete signature in PKCS #1 V2.1 format. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>This setting applies to the certificate request only, not the certificate that is issued by the CA from this template.</maml:para>
</maml:alertSet>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Request Handling</maml:linkText><maml:uri href="mshelp://windows/?id=b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Set Up Automatic Certificate Enrollment</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Autoenrollment is a useful feature of Active Directory Certificate Services (AD CS). It allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject.</maml:para>

<maml:para>To properly configure subject autoenrollment, the administrator must plan the appropriate certificate template or templates to use. Several settings in the certificate template directly affect the behavior of subject autoenrollment. For more information on these settings, see:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuance Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=0acbd7fe-62b1-4aba-9cef-351e56075434"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Application Policy</maml:linkText><maml:uri href="mshelp://windows/?id=b493c46c-97d8-4dac-9144-33648f3499cb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Key Usage</maml:linkText><maml:uri href="mshelp://windows/?id=534a3eb2-05ea-470e-a4af-047927eabe14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Supersede Templates</maml:linkText><maml:uri href="mshelp://windows/?id=08bab27e-830a-4153-bf33-271dce69f99b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To set up automatic certificate enrollment</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the various <maml:ui>Properties</maml:ui> tabs, including <maml:ui>General</maml:ui>, <maml:ui>Request Handling</maml:ui>, and <maml:ui>Issuance Requirements</maml:ui>, and modify them if necessary. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Security</maml:ui> tab, select a group or user name. Select the <maml:ui>Allow</maml:ui> check box next to <maml:ui>Autoenroll</maml:ui>, and then click <maml:ui>Apply</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuing Certificates Based on Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=1ddf06ed-615d-4e24-ba43-468fb0da6c13"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Template General Properties</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The <maml:ui>General </maml:ui> tab contains validity and renewal information for certificates that will be issued based on a certificate template. </maml:para>

<maml:para>The default validity and renewal period settings for certificates issued by Active Directory Certificate Services (AD CS) are designed to meet most security needs. However, you might want to specify different validity and renewal settings, such as shorter lifetime or renewal periods for certificates that are used by certain user groups. </maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To modify the validity or renewal period for a certificate template</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, check the current validity period and renewal period values, modify them as needed, and then click <maml:ui>Apply</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:para>The <maml:ui>Publish certificate in Active Directory</maml:ui> option determines whether information about the certificate template will be made available throughout the enterprise.</maml:para>

<maml:para>The <maml:ui>Do not automatically re-enroll if a duplicate certificate exists in Active Directory</maml:ui> option is applied when the subject attempts to enroll for a certificate based on this template from a computer running Windows XP or later. With this option, certificate autoenrollment will not submit a re-enrollment request if a duplicate certificate exists in Active Directory Domain Services (AD DS). This allows certificates to be renewed but prevents multiple duplicate certificates from being issued.</maml:para>

<maml:para>The <maml:ui>Smart card certificate keys</maml:ui> option enables the existing key to be used if a new key cannot be created during renewal of a smart card certificate. This option helps prevent smart card certificate renewal failures that could result when a smart card runs out of disk space.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To configure certificate publishing in AD DS </maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, select the appropriate Active Directory setting, and then click <maml:ui>Apply</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Create a New Certificate Template</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You can create a new certificate template by duplicating an existing template and using the existing template's properties as the default for the new template. Different applications and types of certification authorities (CAs) support different certificate templates. For example, some certificate templates can only be issued and managed by enterprise CAs running Windows Server 2003, and some may require that the CA be running Windows Server 2008. Review the list of default certificate templates, and examine their properties to identify the existing certificate template that most closely meets your needs. This will minimize the amount of configuration work that you need to do. </maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To create a new certificate template</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the template to copy from, and then click <maml:ui>Duplicate Template</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Choose the minimum version of CA that you want to support. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Type a new name for this certificate template.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Make any necessary changes, and click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Default Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=e6868771-654b-44fd-9853-7cbdd9174f47"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Template Server</maml:title><maml:introduction>
<maml:para>High-volume certificate issuance scenarios such as Network Access Protection (NAP) deployments with Internet Protocol security (IPsec) enforcement create unique public key infrastructure (PKI) needs. To address these needs, the following options introduced in Windows Server 2008 R2 can be used to configure certificate templates for use by high-volume certification authorities (CAs). These options are available on the <maml:ui>Server</maml:ui> tab of a certificate template's property sheet.</maml:para>


</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Do not store certificates and requests in the CA database</maml:title>
<maml:introduction>
<maml:para>Certificates issued in high-volume scenarios typically expire within hours of being issued, and the issuing CA processes a high volume of certificate requests. By default, a record of each request and issued certificate is stored in the CA database. A high volume of requests increases the CA database growth rate and administration cost.</maml:para>
<maml:para>The <maml:ui>Do not store certificates and requests in the CA database</maml:ui> option configures the template so that the CA processes certificate requests without adding records to the CA database.</maml:para><maml:alertSet class="important"><maml:title>Important </maml:title><maml:para>The issuing CA must be configured to support certificate requests that have this option enabled. On the issuing CA, run the following command: <maml:userInput>CertUtil.exe –SetReg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS</maml:userInput>.</maml:para></maml:alertSet>
</maml:introduction></maml:section><maml:section><maml:title>Do not include revocation information in issued certificates</maml:title>
<maml:introduction><maml:para>Revocation of certificates by some high-volume CAs is not beneficial because the certificates typically expire within hours of being issued.</maml:para>
<maml:para>The <maml:ui>Do not include revocation information in issued certificates</maml:ui> option configures the template so that the CA excludes revocation information from issued certificates. This prevents checking revocation status during certificate validation and reduces validation time.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>This option is recommended whenever the <maml:ui>Do not store certificates and requests in the CA database</maml:ui> option is used.</maml:para></maml:alertSet></maml:introduction>

<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Issuing Certificates Based on Certificate Templates</maml:title><maml:introduction>
<maml:para>Active Directory Certificate Services (AD CS) supports a variety of enrollment and renewal methods, including autoenrollment without any client interaction and interactive enrollment methods such as the Certificate Request Wizard and the AD CS Web pages. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>If you deploy non-Microsoft certification authorities (CAs) or custom certificate enrollment and renewal applications, you must perform any configuration required for those CAs and applications.</maml:para>
</maml:alertSet>

<maml:para>How a client obtains a certificate is primarily controlled by the security properties of the certificate template. </maml:para>

<maml:para>When certificate templates are published on a server, each template contains an access control list (ACL) that defines the specific operations a subject can perform with a certificate. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Setting </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Full Control</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The selected group or user can perform any action on this template.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Read</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The selected group or user can read this template.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Write</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The selected group or user can modify this template.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Enroll</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The selected group or user can submit a certificate issuance or renewal request based on this template.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>To automatically retrieve OCSP Response Signing certificates, Online Responder service accounts require Enroll permission, not Autoenroll permission.</maml:para></maml:alertSet>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Autoenroll</maml:para>
</maml:entry>
<maml:entry>
<maml:para>The selected group or user can submit a certificate request based on this template by way of autoenrollment.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Autoenroll permission does not include Enroll permission. To use Autoenroll permission, grant both permissions.</maml:para>
</maml:alertSet>
</maml:entry></maml:row>
</maml:table>

<maml:para>The most common use of certificates is for subject enrollment with autoenrollment permitted. In this case, the subject must be granted Read, Enroll, and Autoenroll permissions. </maml:para>

<maml:para>If you do not want to autoenroll users, but do want to make manual or Web-based enrollment available, granting the Read and Enroll permissions is appropriate. </maml:para>

<maml:para>When subjects already hold a certificate, they need only Read and Enroll permissions to renew that certificate, whether they use autoenrollment or not.</maml:para>

<maml:para>Write and Full Control permissions should be restricted to CA managers to ensure the templates are not improperly configured.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Set Up Automatic Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=1134786d-baae-47e7-ab30-286e21b180d2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Allow Subjects to Request a Certificate Based on a Template</maml:linkText><maml:uri href="mshelp://windows/?id=0749af8d-c195-49b8-96f6-3a9a6568b520"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Re-Enroll All Certificate Holders</maml:linkText><maml:uri href="mshelp://windows/?id=6d7cdf83-35a0-446a-aaaf-4f48dff43379"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Modify an Issuance Policy</maml:linkText><maml:uri href="mshelp://windows/?id=9b9063e6-0cb3-40ce-9217-cfa19426c6b0"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure Certificate Publishing in Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=96dd619c-78c6-4be5-930b-eef928720262"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Make Issuance or Application Policy Critical</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>An object identifier must describe every application and issuance policy that you define. The inclusion of an issuance policy object identifier in an issued certificate indicates that the certificate was issued in a manner that meets the issuance requirements associated with the issuance policy object.</maml:para>

<maml:para>Issuance or application policies by default are not critical. Making them critical can help ensure that a certificate is not used improperly. However, it also increases the likelihood that the certificate may not be compatible with all applications.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To make issuance or application policy critical</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Extensions</maml:ui> tab, click <maml:ui>Issuance Policies</maml:ui> or <maml:ui>Application Policies</maml:ui>, and then click <maml:ui>Edit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Make this extension critical</maml:ui> check box. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Clients must be re-enrolled to receive a certificate based on the changed template if they already have a valid certificate based on the old template. For more information, see <maml:navigationLink><maml:linkText>Re-Enroll All Certificate Holders</maml:linkText><maml:uri href="mshelp://windows/?id=6d7cdf83-35a0-446a-aaaf-4f48dff43379"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Extensions</maml:linkText><maml:uri href="mshelp://windows/?id=646333b2-67c9-4e22-8cbc-be44a5e4bcc5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Object Identifiers</maml:linkText><maml:uri href="mshelp://windows/?id=8a274218-b04e-4b50-b966-e050f6a4c04c"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuance Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=0acbd7fe-62b1-4aba-9cef-351e56075434"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Application Policy</maml:linkText><maml:uri href="mshelp://windows/?id=b493c46c-97d8-4dac-9144-33648f3499cb"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Upgrade Existing Templates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>When you upgrade a certification authority (CA), you may need to update the Active Directory schema to support new certificate template attributes. For more information about updating the Active Directory schema with Adprep.exe, see the Command Line Reference (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=20331</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=20331"></maml:uri></maml:navigationLink>).</maml:para>

<maml:para>In addition, you need to upgrade the certificate templates to include and configure these attributes. Upgrading the certificate templates applies the proper security permissions on the existing certificate templates and installs any new certificate templates that are available. </maml:para>

<maml:para>If you do not perform this procedure before upgrading your CAs to Windows Server 2008 R2, you will be prompted when opening the Certificate Templates snap-in. If this procedure has already been performed in your enterprise, you will not receive a prompt when you open Certificate Templates.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure.</maml:para>

<maml:procedure><maml:title>To install new templates and upgrade existing templates</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When prompted to install new certificate templates, click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>After a CA has been upgraded and certificate templates have been installed, you can create new version 2 or version 3 copies of any certificate template in the domain. For more information, see <maml:navigationLink><maml:linkText>Create a New Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=1b15e7e5-3a77-4817-9bcc-f327cd777716"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Template Versions</maml:title><maml:introduction>
<maml:para>Active Directory Certificate Services (AD CS) provides these versions of certificate templates that are available on enterprise certification authorities (CA).</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Version 1 certificate templates</maml:title>
<maml:introduction><maml:para>Version 1 certificate templates support general certificate needs and provide compatibility with clients and issuing CAs running Windows 2000 operating systems. Version 1 templates are installed by default during CA setup and cannot be deleted. The only property that can be modified on a version 1 template is the set of assigned permissions that controls access to the template. </maml:para>

<maml:para><maml:ui>Enrollment options</maml:ui></maml:para>

<maml:list class="unordered">
<maml:listItem><maml:para>Automatic enrollment</maml:para><maml:list class="unordered"><maml:listItem><maml:para>Custom scripts</maml:para></maml:listItem><maml:listItem><maml:para>Automatic certificate request settings in Group Policy can be used only for computer certificates</maml:para></maml:listItem></maml:list></maml:listItem>
<maml:listItem><maml:para>Manual enrollment</maml:para><maml:list class="unordered"><maml:listItem><maml:para>Certificates snap-in</maml:para></maml:listItem><maml:listItem><maml:para>CA Web enrollment pages</maml:para></maml:listItem></maml:list></maml:listItem>

</maml:list>



<maml:para><maml:ui>Template availability</maml:ui></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Windows Server 2008 R2, all editions</maml:para></maml:listItem><maml:listItem><maml:para>Windows Server 2008, all editions</maml:para></maml:listItem><maml:listItem><maml:para>Windows Server 2003 R2, all editions</maml:para></maml:listItem><maml:listItem><maml:para>Windows Server 2003, all editions</maml:para></maml:listItem><maml:listItem><maml:para>Windows 2000 Server, all editions</maml:para></maml:listItem>




</maml:list></maml:introduction></maml:section><maml:section>
<maml:title>Version 2 certificate templates</maml:title><maml:introduction>
<maml:para>Version 2 certificate templates were introduced in Windows Server 2003 and can be configured by an administrator to control the way certificates are requested, issued, and used. Version 2 templates provide support for certificate autoenrollment.</maml:para>

<maml:para><maml:ui>Enrollment options</maml:ui></maml:para>

<maml:list class="unordered">
<maml:listItem><maml:para>Automatic enrollment</maml:para><maml:list class="unordered"><maml:listItem><maml:para>Autoenrollment in Windows Server 2008, Windows Vista,  Windows Server 2003, and Windows XP Professional</maml:para></maml:listItem><maml:listItem><maml:para>Custom scripts</maml:para></maml:listItem></maml:list></maml:listItem>
<maml:listItem><maml:para>Manual enrollment</maml:para><maml:list class="unordered"><maml:listItem><maml:para>Certificate Enrollment Wizard</maml:para></maml:listItem><maml:listItem><maml:para>CA Web enrollment pages</maml:para></maml:listItem></maml:list></maml:listItem>
</maml:list>

<maml:para><maml:ui>Template availability</maml:ui></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Windows Server 2008 R2, all editions</maml:para></maml:listItem><maml:listItem><maml:para>Windows Server 2008, Enterprise and Datacenter editions</maml:para></maml:listItem><maml:listItem><maml:para>Windows Server 2003 R2, Enterprise and Datacenter editions</maml:para></maml:listItem><maml:listItem><maml:para>Windows Server 2003, Enterprise and Datacenter editions</maml:para></maml:listItem>



</maml:list>
</maml:introduction></maml:section><maml:section>
<maml:title>Version 3 certificate templates</maml:title><maml:introduction>
<maml:para>In addition to version 2 template features  and autoenrollment, version 3 certificate templates provide support for Suite B cryptographic algorithms. Suite B was created by the U.S. National Security Agency to specify cryptographic algorithms that must be used by U.S. government agencies to secure confidential information.</maml:para>

<maml:para><maml:ui>Template availability</maml:ui></maml:para>
<maml:list class="unordered">
<maml:listItem><maml:para>Windows Server 2008 R2, all editions</maml:para></maml:listItem><maml:listItem><maml:para>Windows Server 2008, Enterprise and Datacenter editions</maml:para></maml:listItem>

</maml:list>
</maml:introduction>
<maml:sections><maml:section><maml:title></maml:title><maml:introduction></maml:introduction><maml:sections><maml:section>
<maml:title>Additional references</maml:title>
<maml:introduction>
<maml:list class="unordered">
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Certificate Template Concepts</maml:linkText><maml:uri href="mshelp://windows/?id=85e1436e-4c52-489a-93a2-6603f1abadf7"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Default Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=e6868771-654b-44fd-9853-7cbdd9174f47"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Create a New Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=1b15e7e5-3a77-4817-9bcc-f327cd777716"></maml:uri></maml:navigationLink></maml:para></maml:listItem>
<maml:listItem><maml:para><maml:navigationLink><maml:linkText>Set Up Automatic Certificate Enrollment</maml:linkText><maml:uri href="mshelp://windows/?id=1134786d-baae-47e7-ab30-286e21b180d2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section></maml:sections></maml:section></maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Troubleshooting Certificate Templates</maml:title><maml:introduction>
<maml:para>This section lists a few common issues you may encounter when using the Certificate Templates snap-in or working with certificate templates. For more information about troubleshooting and resolving problems with certificate templates, see Active Directory Certificate Services Troubleshooting (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=89215</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=89215"></maml:uri></maml:navigationLink>).</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>What problem are you having?</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>The Certificate Templates snap-in does not list any templates after prompting to install new certificate templates</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_1"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificates are not being issued to clients</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_2"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificates are issued to subjects, but cryptographic operations with those certificates fail</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_3"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Domain controllers are not obtaining a domain controller certificate</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Clients are unable to obtain certificates via autoenrollement</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Names of certificate templates in the snap-in are inconsistent between views or windows</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_6"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>The private key cannot be exported from smart card certificates, even when Allow private key to be exported is selected in the certificate template</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>The certificate template is modified, but some certification authorities (CAs) still have the unmodified version</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_8"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>The private key is not being archived even though I selected the Archive subject's encryption private key option and configured the CA to require key recovery</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Autoenrollment is prompting me to renew a certificate that isn't mine, and I have certificates in my Personal certificate store that I didn't put there </maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895#BKMK_10"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section address="BKMK_1">
<maml:title>The Certificate Templates snap-in does not list any templates after prompting to install new certificate templates.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The certificate templates have not yet replicated to the certification authority (CA) that the computer is connected to. This replication is part of Active Directory replication.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Wait for the certificate templates to replicate and then reopen the Certificate Templates snap-in.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_2">
<maml:title>Certificates are not being issued to clients.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The issuing certificate used by the certification authority (CA) has a shorter remaining lifetime than the template overlap period configured for the request certificate template. This means that the issued certificate would be immediately eligible for re-enrollment. Instead of issuing and continuously renewing this certificate, the certificate request is not processed.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Renew the issuing certificate used by the CA.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_3">
<maml:title>Certificates are issued to subjects, but cryptographic operations with those certificates fail.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The cryptographic service provider (CSP) does not match key usage settings or does not exist.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Confirm that you set the CSP in the template to one that supports the type of cryptographic operation that the certificate will be used for.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_4">
<maml:title>Domain controllers are not obtaining a domain controller certificate.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Autoenrollment has been disabled by using Group Policy settings for domain controllers. Domain controllers obtain their certificates through autoenrollment.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Enable autoenrollment for domain controllers.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: The default Automatic Certificate Request setting for domain controllers has been removed from the Default Domain Controllers policy.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Create a new Automatic Certificate Request in the Default Domain Controllers policy for the Domain Controller certificate template.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_5">
<maml:title>Clients are unable to obtain certificates via autoenrollement.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Security permissions must be set to allow intended subjects to both enroll and autoenroll on the certificate template. Both permissions are required to enable autoenrollment.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Modify the discretionary access control list (DACL) on the certificate template to grant Read, Enroll, and Autoenroll permissions for the subjects that you want.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_6">
<maml:title>Names of certificate templates in the snap-in are inconsistent between views or windows.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Active Directory Sites and Services is being used to view the certificate templates. This snap-in may not provide as accurate a display as Certificate Templates. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Use the Certificate Templates snap-in to administer certificate templates.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_7">
<maml:title>The private key cannot be exported from smart card certificates, even when Allow private key to be exported is selected in the certificate template.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Smart cards do not allow private keys to be exported once they are written to the smart card.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: None</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_8">
<maml:title>The certificate template is modified, but some certification authorities (CAs) still have the unmodified version.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Certificate templates are replicated between CAs with the Active Directory replication process. Because this replication is not instantaneous, there may be a short delay before the new version of the template is available on all CAs.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Wait until the modified template is replicated to all CAs. To display the certificate templates that are available on the CA, use the Certutil.exe command-line tool.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_9">
<maml:title>The private key is not being archived even though I selected the Archive subject's encryption private key option and configured the CA to require key recovery.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: Private keys will not be archived when the key usage for the certificate template is set to Signature. This is because the digital signature usage requires the key to not be recoverable.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: None</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section address="BKMK_10">
<maml:title>Autoenrollment is prompting me to renew a certificate that isn't mine, and I have certificates in my Personal certificate store that I didn't put there.</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Cause</maml:phrase>: When using the smart card enrollment station on the administrator's computer to renew or change the certificate stored on the smart card, the certificate from the smart card is copied to the administrator's private certificate store. This certificate may be processed by autoenrollment and prompt you to begin the renewal process. </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Solution</maml:phrase>: Click <maml:ui>Start</maml:ui> to begin the autoenrollment renewal process. Because the certificate is not yours, the autoenrollment process will end after you click <maml:ui>Start</maml:ui>. If you want to remove the certificates from your Personal certificate store, they can be deleted manually.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Subject Names</maml:title><maml:introduction>
<maml:para>The holder of the private key associated with a certificate is known as the subject. This can be a user, a program, or virtually any object, computer, or service. </maml:para>

<maml:para>Because the subject name can vary greatly depending on who or what the subject is, some flexibility is needed when providing the subject name in the certificate request. Windows can build the subject name automatically from subject information stored in Active Directory Domain Services (AD DS) or the subject name can be supplied manually by the subject (for example, by using certificate enrollment Web pages to create and submit a certificate request). </maml:para>



<maml:para>Enterprise certification authorities (CAs) include the Certificate Templates snap-in to configure certificate templates. Use the <maml:ui>Subject Name</maml:ui> tab on the certificate template properties sheet to configure subject name options.</maml:para>









</maml:introduction><maml:content><maml:sections><maml:section><maml:title>Supply in the request</maml:title>
<maml:introduction><maml:para>When the <maml:ui>Supply in the request</maml:ui> option is selected, the <maml:ui>Use subject information from existing certificates for autoenrollment renewal requests</maml:ui> option is available to simplify the task of adding the subject name to the certificate renewal request and to allow computer certificates to be renewed automatically. Subject information from existing certificates is not used for automatic renewal of user certificates.</maml:para>

<maml:para>The <maml:ui>Use subject information from existing certificates for autoenrollment renewal requests</maml:ui> option causes the certificate enrollment client to read subject name and subject alternative name information from an existing computer certificate based on the same certificate template when creating renewal requests automatically or using the Certificates snap-in. This applies to computer certificates that are expired, revoked, or within their renewal period.</maml:para>

</maml:introduction></maml:section><maml:section><maml:title>Build from AD DS</maml:title><maml:introduction>
<maml:para>When the <maml:ui>Build from this Active Directory information</maml:ui> option is selected, the following additional options can be configured.</maml:para>

<maml:table><maml:title>Subject name format</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader><maml:row><maml:entry><maml:para><maml:ui>Common name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>The CA creates the subject name from the common name (CN) obtained from AD DS. This should be unique within a domain but might not be unique within an enterprise.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Fully distinguished name (DN)</maml:ui></maml:para></maml:entry><maml:entry><maml:para>The CA creates the subject name from the fully distinguished name obtained from AD DS. This ensures that the name is unique within an enterprise.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Include e-mail name in subject name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>If the E-mail name field is populated in the Active Directory user object, this e-mail name will be included with either the common name or fully distinguished name as part of the subject name.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>None</maml:ui></maml:para></maml:entry><maml:entry><maml:para>A name value is not required for this certificate.</maml:para></maml:entry></maml:row></maml:table>




<maml:table><maml:title>Include this information in alternate subject name</maml:title><maml:tableHeader><maml:row><maml:entry><maml:para>Setting</maml:para></maml:entry><maml:entry><maml:para>Description</maml:para></maml:entry></maml:row></maml:tableHeader>
<maml:row><maml:entry><maml:para><maml:ui>E-mail name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>If the E-mail name field is populated in the Active Directory user object, this e-mail name will be used.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>DNS name</maml:ui></maml:para></maml:entry><maml:entry><maml:para>This is the fully qualified domain name (FQDN) of the subject that requested the certificate. This is most frequently used in computer certificates.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>User principal name (UPN)</maml:ui></maml:para></maml:entry><maml:entry><maml:para>The user principal name is part of the Active Directory user object and will be used.</maml:para></maml:entry></maml:row>
<maml:row><maml:entry><maml:para><maml:ui>Service principal name (SPN)</maml:ui></maml:para></maml:entry><maml:entry><maml:para>The service principal name is part of the Active Directory computer object and will be used.</maml:para></maml:entry></maml:row></maml:table>



</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Key Usage</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A certificate enables the subject to perform a specific task. To help control the usage of a certificate outside its intended purpose, restrictions are automatically placed on certificates. These restrictions can be applied by using the key usage extension.</maml:para>

<maml:para>Key usage is a restriction method that determines what a certificate can be used for. This allows the administrator to issue certificates that can only be used for specific tasks or certificates that be used for a broad range of functions. Key usage descriptions include "Digital signature" and "Allow key exchange only with key encryption." </maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To modify key usage</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Extensions</maml:ui> tab, click <maml:ui>Key Usage</maml:ui>, and then click <maml:ui>Edit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the key usage options that you want to add or remove, and then click <maml:ui>OK</maml:ui> twice.</maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Not all key usage options can be modified on all certificate templates.</maml:para>
</maml:alertSet>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:para>Certificate usage can also be managed by using the application policy extension. For more information, see <maml:navigationLink><maml:linkText>Application Policy</maml:linkText><maml:uri href="mshelp://windows/?id=b493c46c-97d8-4dac-9144-33648f3499cb"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Extensions</maml:linkText><maml:uri href="mshelp://windows/?id=646333b2-67c9-4e22-8cbc-be44a5e4bcc5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Deploying Certificate Templates</maml:title><maml:introduction>
<maml:para>When you create an enterprise certification authority (CA), certificate templates are stored in Active Directory Domain Services (AD DS) and can be made available to all enterprise CAs in the forest. This simplifies replication, security management, and the upgrade of certificate templates when a CA is upgraded to a more recent version of a Windows server operating system. Note that this requires the root domain's Domain Admins group to have Full Control permission on all certificate templates or for this permission to be granted to another user or group.</maml:para>

<maml:para>Once you have planned and created the appropriate certificate templates, they will be replicated automatically to all domain controllers in the enterprise. This replication normally takes approximately eight hours to complete. Because of this interval, you should create the certificate template and allow it to replicate before issuing certificates based on the certificate template to clients. This is best accomplished during an idle time in your environment. Configuring templates and using certificates before replication is completed can have unwanted effects.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Add a Certificate Template to a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=8a4b5b45-3723-4f22-a487-a52dd95d7a65"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Remove a Certificate Template from a Certification Authority</maml:linkText><maml:uri href="mshelp://windows/?id=f6d90c10-d921-4f70-8a02-f3e525efa7b3"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Templates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Certificate templates can greatly simplify the task of administering a certification authority (CA) by allowing an administrator to issue certificates that have been preconfigured for selected tasks. The Certificate Templates snap-in allows an administrator to perform the following tasks:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para>View properties for each certificate template.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Copy and modify certificate templates.</maml:para>
</maml:listItem>

<maml:listItem><maml:para>Control which users and computers can read templates and enroll for certificates.</maml:para></maml:listItem>

<maml:listItem>
<maml:para>Perform other administrative tasks relating to certificate templates.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Concepts</maml:linkText><maml:uri href="mshelp://windows/?id=85e1436e-4c52-489a-93a2-6603f1abadf7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Troubleshooting Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Additional Resources for Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=8c050288-46c9-4991-a6ab-df3ef8de0535"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Rename a Certificate Template</maml:title><maml:introduction>
<maml:para>The names of custom certificate templates can be changed by an administrator. The names of default certificate templates cannot be changed. Use the <maml:ui>Change Names</maml:ui> dialog box to change the template name and the template display name.</maml:para>
<maml:para>The template name is the common name attribute of the certificate template object in Active Directory Domain Services (AD DS), and only that template object is updated when the template name is changed. If the modified template was previously published to issuing certification authorities (CAs) or added to a superseded templates list, then those actions must be repeated to maintain the consistency of the public key infrastructure (PKI) environment.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title>
<maml:introduction>
<maml:procedure><maml:title>To change a certificate template name</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>On the CA, open the Certificate Templates snap-in.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click the certificate template you want to modify. On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Change Names</maml:ui>.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>When a default certificate is selected, <maml:ui>Change Names</maml:ui> is not displayed. The names of default certificate templates cannot be changed.</maml:para></maml:alertSet></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Type a new name in the <maml:ui>Template name</maml:ui> box or the <maml:ui>Template display name</maml:ui> box, or both.</maml:para></maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title><maml:para>Click <maml:ui>OK</maml:ui> to save changes.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
<maml:alertSet class="important"><maml:title>Important </maml:title><maml:alert>Changes to the template name may require the following additional procedures: </maml:alert></maml:alertSet></maml:introduction>
<maml:sections><maml:section><maml:title></maml:title><maml:introduction><maml:para><maml:phrase>Additional references</maml:phrase></maml:para>
<maml:list class="unordered"><maml:listItem><maml:para><maml:navigationLink><maml:linkText>Default Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=e6868771-654b-44fd-9853-7cbdd9174f47"></maml:uri></maml:navigationLink></maml:para></maml:listItem></maml:list></maml:introduction></maml:section></maml:sections></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Template Extensions</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A certification authority (CA) processes each certificate request by using a defined set of rules. Certificate templates can be customized with a number of extensions that regulate their use. These extensions can include:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Issuance policies</maml:phrase>. An issuance policy (also known as an enrollment or certificate policy) is a group of administrative rules that are implemented when issuing certificates. They are represented in a certificate by an object identifier (also known as an OID) that is defined at the CA. This object identifier is included in the issued certificate. When a subject presents its certificate, it can be examined by the target to verify the issuance policy and determine if that level of issuance policy is sufficient to perform the requested action. For more information, see <maml:navigationLink><maml:linkText>Issuance Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=0acbd7fe-62b1-4aba-9cef-351e56075434"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Application policies</maml:phrase>. Application policies give you the important ability to decide which certificates can be used for certain purposes. This allows you to issue certificates widely without being concerned that they are misused for an unintended purpose. Application policies are sometimes called extended key usage or enhanced key usage. Because some implementations of public key infrastructure (PKI) applications cannot interpret application policies, both application policies and enhanced key usage sections appear in certificates issued by a Windows Server–based CA. For more information, see <maml:navigationLink><maml:linkText>Application Policy</maml:linkText><maml:uri href="mshelp://windows/?id=b493c46c-97d8-4dac-9144-33648f3499cb"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Key usage</maml:phrase>. A certificate enables the subject to perform a specific task. To help control the usage of a certificate outside its intended purpose, restrictions are automatically placed on certificates. Key usage is a restriction method and determines what a certificate can be used for. This allows the administrator to issue certificates that can only be used for specific tasks or to issue certificates that can be used for a broad range of functions. For more information, see <maml:navigationLink><maml:linkText>Key Usage</maml:linkText><maml:uri href="mshelp://windows/?id=534a3eb2-05ea-470e-a4af-047927eabe14"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Key archival</maml:phrase>. When subjects lose their private keys, any information that was persistently encrypted with the corresponding public key is inaccessible. To help prevent this, key archival allows you to encrypt and archive a subject's keys in the CA database when certificates are issued. If a subject loses its keys, the information can be retrieved from the database and provided to the subject. This allows the encrypted information to be recovered instead of lost. For more information, see <maml:navigationLink><maml:linkText>Request Handling</maml:linkText><maml:uri href="mshelp://windows/?id=b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Basic constraints</maml:phrase>. Basic constraints are used to ensure that CA certificates are only used in certain applications. An example is the path length that can be specified as a basic constraint. A path length defines the number of CAs that are permitted below the current CA. This path length constraint ensures that CAs at the end of this path can only issue end-entity certificates, not CA certificates. For more information, see <maml:navigationLink><maml:linkText>Basic Constraints</maml:linkText><maml:uri href="mshelp://windows/?id=acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>OCSP No Revocation Checking</maml:phrase>. This extension appears only in the new OCSP Response Signing certificate template and duplicates derived from this template. It cannot be added to any other certificate templates. This extension instructs the CA to include the OCSP No Revocation Checking (id-pkix-ocsp-nocheck) extension in the issued certificate and not to include the authority information access and certificate revocation list (CRL) distribution point extensions in the certificate. This is because OCSP Response Signing certificates are not checked for revocation status. This extension only applies if the certificate request contains OCSP Response Signing in the enhanced key usage and application policies. </maml:para>
</maml:listItem>
</maml:list>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuance Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=0acbd7fe-62b1-4aba-9cef-351e56075434"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Application Policy</maml:linkText><maml:uri href="mshelp://windows/?id=b493c46c-97d8-4dac-9144-33648f3499cb"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Key Usage</maml:linkText><maml:uri href="mshelp://windows/?id=534a3eb2-05ea-470e-a4af-047927eabe14"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Basic Constraints</maml:linkText><maml:uri href="mshelp://windows/?id=acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Make Issuance or Application Policy Critical</maml:linkText><maml:uri href="mshelp://windows/?id=3510bd12-b297-40ab-b1f8-af72de3531a9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Re-Enroll All Certificate Holders</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>This procedure is used when a critical change is made to the certificate template and you want all subjects that hold a certificate that is based on this template to re-enroll as quickly as possible. The next time the subject verifies the version of the certificate against the version of the template on the certification authority (CA), the subject will re-enroll.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To re-enroll all certificate holders</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the template that you want to use, and then click <maml:ui>Reenroll All Certificate Holders</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuing Certificates Based on Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=1ddf06ed-615d-4e24-ba43-468fb0da6c13"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Connect to a Writable Domain Controller</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>If you have multiple domain controllers, all certificate templates may not be replicated on all domain controllers, including read-only domain controllers. </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Read-only domain controllers, introduced in Windows Server 2008, are domain controllers that host a read-only copy of the domain database. </maml:para>
</maml:alertSet>

<maml:para>You can, however, retrieve or modify certificate templates from a specific writable domain controller. </maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent for the domain, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To access certificate templates on a writable domain controller</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, right-click <maml:ui>Certificate Templates</maml:ui>, and then click <maml:ui>Connect to another writable domain controller</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Verify the domain name, and click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configure Certificate Publishing in Active Directory Domain Services</maml:linkText><maml:uri href="mshelp://windows/?id=96dd619c-78c6-4be5-930b-eef928720262"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Certificate Template Concepts</maml:title><maml:introduction>
<maml:para>Certificate templates are an integral part of an enterprise certification authority (CA). They are an important element of the certificate policy for an environment, which is the set of rules and formats for certificate enrollment, use, and management.</maml:para>

<maml:para>When a CA receives a request for a certificate, groups of rules and settings must be applied to that request to perform the requested function, such as certificate issuance or renewal. These rules can be simple or complex and may apply to all users or specific groups of users. Certificate templates are the sets of rules and settings that are configured on a CA to be applied against incoming certificate requests. Certificate templates also give instructions to the client on how to create and submit a valid certificate request.</maml:para>

<maml:para>Certificates based on a certificate template can only be issued by an enterprise CA. The templates are stored in Active Directory Domain Services (AD DS) for use by every CA in the forest. This allows the CA to always have access to the current standard template and ensures consistent application of the certificate policy across the forest.</maml:para>

<maml:para>Administrators of Windows Server 2008–based enterprise CAs can use a number of predefined certificate templates. For more information, see <maml:navigationLink><maml:linkText>Default Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=e6868771-654b-44fd-9853-7cbdd9174f47"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Certificate templates introduced in Windows Server 2008, Windows Server 2003, and Windows 2000 have different levels of configurability. For more information, see <maml:navigationLink><maml:linkText>Certificate Template Versions</maml:linkText><maml:uri href="mshelp://windows/?id=3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Object Identifiers</maml:title><maml:introduction>
<maml:para>Object identifiers (also known as OIDs) are numbers that identify an object class or attribute. An object identifier is represented as a dotted decimal string, such as 1.2.3.4, with each dot representing a new branch in the hierarchy. </maml:para>

<maml:para>Object identifiers are organized into an industry-wide global hierarchy. Registration authorities issue root object identifiers to individuals or organizations, who manage the hierarchy below their root object identifier.</maml:para>

<maml:para>Object identifiers must be unique within an enterprise. </maml:para>

<maml:procedure><maml:title>To create a new object identifier</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Extensions </maml:ui>tab, click <maml:ui>Application Policies</maml:ui>, and then click <maml:ui>Edit</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Edit Application Policies Extension</maml:ui>, click <maml:ui>Add</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Add Application Policy</maml:ui>, click <maml:ui>New</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Provide the requested information.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Add a Certificate Template to a Certification Authority</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Before certificates can be issued by a certification authority (CA), the certificate template must be added to a CA.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To add a certificate template to a CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in, and double-click the name of the CA. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click <maml:ui>Certificate Templates</maml:ui>, click <maml:ui>New</maml:ui>, and then click <maml:ui>Certificate Template to Issue</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the certificate template, and click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Deploying Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=5e47ee01-62f0-4033-8d21-c02b2bb32781"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Additional Resources for Certificate Templates</maml:title><maml:introduction>
<maml:para>For more information about certificate templates, see the following resources on the Microsoft Web site:</maml:para>

<maml:list class="unordered">
<maml:listItem><maml:para>Implementing and Administering Certificate Templates in Windows Server 2008 (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkID=92522</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkID=92522"></maml:uri></maml:navigationLink>)</maml:para></maml:listItem>
<maml:listItem>
<maml:para>Certificates Technical Reference (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=64035</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=64035"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Certificate Services Technical Reference (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=64036</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=64036"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Certificate Autoenrollment in Windows Server (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=64037</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=64037"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Windows Server Advanced Certificate Enrollment and Management (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=64038</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=64038"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>Certificate Key Archival and Management (<maml:navigationLink><maml:linkText>http://go.microsoft.com/fwlink/?LinkId=89551</maml:linkText><maml:uri href="http://go.microsoft.com/fwlink/?LinkId=89551"></maml:uri></maml:navigationLink>)</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Certificate Publishing in Active Directory Domain Services</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A Windows Server–based certification authority (CA) can add certificates that have been issued to Active Directory subjects to the appropriate Active Directory object. This allows other users of Active Directory Domain Services (AD DS) to easily locate and use the subject's certificate. There are two settings (located on the <maml:ui>General</maml:ui> tab of the certificate template's property sheet) that affect the way this feature works:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:ui>Publish certificate in Active Directory</maml:ui>. When a subject obtains a certificate based on this template, the issued certificate will be added to that subject's Active Directory object.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:ui>Do not automatically re-enroll if a duplicate certificate exists in Active Directory</maml:ui>. When the subject attempts to enroll for a certificate based on this template, computers running Windows XP or later will search for a duplicate certificate in AD DS. If one exists, autoenrollment will not submit a re-enrollment request. This allows certificates to be renewed but prevents multiple duplicate certificates from being issued.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To configure certificate publishing in AD DS</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>General</maml:ui> tab, select the check box for the appropriate Active Directory setting, and then click <maml:ui>Apply</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuing Certificates Based on Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=1ddf06ed-615d-4e24-ba43-468fb0da6c13"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Modify an Issuance Policy</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Certificates can be requested by any subject that has at least Read and Enroll permissions for the corresponding certificate template. In some cases, the administrator may want to place some restrictions on the process that occurs after a certificate request is made. This gives the administrator control of what certificates are issued and how the issuance process is implemented. This type of restriction is known as an issuance policy (also known as an enrollment or certificate policy). Issuance policies can contain requirements for certificate manager approval, multiple authorized signature requirements, and whether application and issuance policies should be implemented for this certificate. For more information, see <maml:navigationLink><maml:linkText>Application Policy</maml:linkText><maml:uri href="mshelp://windows/?id=b493c46c-97d8-4dac-9144-33648f3499cb"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To modify an issuance policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Issuance Requirements</maml:ui> tab.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Provide the requested information.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Apply</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>This procedure is applicable to version 2 and version 3 certificate templates. For more information, see <maml:navigationLink><maml:linkText>Certificate Template Versions</maml:linkText><maml:uri href="mshelp://windows/?id=3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuing Certificates Based on Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=1ddf06ed-615d-4e24-ba43-468fb0da6c13"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuance Requirements</maml:linkText><maml:uri href="mshelp://windows/?id=0acbd7fe-62b1-4aba-9cef-351e56075434"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configuring a Certificate Template</maml:title><maml:introduction>
<maml:para>When you create a new certificate template, it is also possible to customize its general properties, extensions, and other important characteristics.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template General Properties</maml:linkText><maml:uri href="mshelp://windows/?id=194c4281-a5bf-4be1-9e4e-61f7b500066e"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Extensions</maml:linkText><maml:uri href="mshelp://windows/?id=646333b2-67c9-4e22-8cbc-be44a5e4bcc5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Request Handling</maml:linkText><maml:uri href="mshelp://windows/?id=b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Cryptography</maml:linkText><maml:uri href="mshelp://windows/?id=0eb289d1-2df5-47d3-a2be-ba231daa9858"></maml:uri></maml:navigationLink> </maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Supersede Templates</maml:linkText><maml:uri href="mshelp://windows/?id=08bab27e-830a-4153-bf33-271dce69f99b"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Subject Names</maml:linkText><maml:uri href="mshelp://windows/?id=4a9be825-e97d-4b0c-8b7b-a1f74a816619"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Server</maml:linkText><maml:uri href="mshelp://windows/?id=1da52796-c5ad-439f-af38-9818e26fe356"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Basic Constraints</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Certification authorities (CAs) must have a certificate before they can issue certificates. They use the private key associated with this certificate to digitally sign issued certificates. When a CA obtains a certificate from another CA, the parent CA may want to control whether that certificate can be used to issue certificates to other certificate servers. This is a basic constraint.</maml:para>

<maml:para>Basic constraints are used to ensure that a certificate is only used in certain applications. An example is the path length that can be specified as a basic constraint. </maml:para>

<maml:para>The following procedure only works with certificate templates that issue certificates that sign other certificates, such as cross-certified CAs and root CAs.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To change basic constraints</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Extensions</maml:ui> tab, click <maml:ui>Basic Constraints</maml:ui>, and then click <maml:ui>Edit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Edit Basic Constraints Extension</maml:ui>, provide the requested information.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>This procedure is applicable to version 2 and version 3 templates. For more information, see <maml:navigationLink><maml:linkText>Certificate Template Versions</maml:linkText><maml:uri href="mshelp://windows/?id=3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed"></maml:uri></maml:navigationLink>.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>

<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Extensions</maml:linkText><maml:uri href="mshelp://windows/?id=646333b2-67c9-4e22-8cbc-be44a5e4bcc5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Request Handling</maml:title><maml:introduction>
<maml:para>The <maml:ui>Request Handling</maml:ui> tab defines the purpose of a certificate template, the supported cryptographic service providers (CSPs), minimum key length, exportability, autoenrollment settings, and whether strong private key protection should be required.</maml:para>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Certificate purpose</maml:title><maml:introduction>
<maml:para>The certificate purpose defines the intended primary use of the certificate and can be one of four settings as described in the following table. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Setting</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Purpose</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Encryption</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Contains cryptographic keys for encryption and decryption.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Signature</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Contains cryptographic keys for signing data only.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Signature and encryption</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>Covers all primary uses of a certificate's cryptographic key, including encryption of data, decryption of data, initial logon, or digitally signing data.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Signature and smart card logon</maml:ui> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows for initial logon with a smart card, and to digitally sign data; it cannot be used for data encryption.</maml:para>
</maml:entry></maml:row>
</maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Key archival is only possible if the certificate purpose is set to <maml:ui>Encryption</maml:ui> or <maml:ui>Signature and encryption</maml:ui>. </maml:para>
</maml:alertSet>
</maml:introduction></maml:section><maml:section>
<maml:title>Archive settings</maml:title><maml:introduction>
<maml:para>Certification authorities (CAs) can archive a subject's keys in their databases when certificates are issued. If subjects lose their keys, the information can be retrieved from the database and securely provided to the subjects. </maml:para>

<maml:para>The key archival settings in the following table are defined in the <maml:ui>Request Handling</maml:ui> tab.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Setting</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Purpose</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Archive subject's encryption private key</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If the issuing CA is configured for key archival, the subject's private key will be archived.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Allow private key to be exported</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>The subject's private key can be exported to a file for backup or transfer to another computer.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Deleting revoked or expired certificates (do not archive)</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>If a certificate is renewed due to expiration or revocation, the previously issued certificate is removed from the subject's certificate store. By default, this option is not enabled and the certificate is archived.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Include symmetric algorithms allowed by the subject</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>When the subject requests the certificate, a list of supported symmetric algorithms can be supplied by the subject. This option allows the issuing CA to include those algorithms in the certificate, even if they are not recognized or supported by that server. </maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section><maml:section>
<maml:title>User input settings</maml:title><maml:introduction>
<maml:para>The <maml:ui>Request Handling</maml:ui> tab also allows several user input settings described in this table to be defined for a certificate template. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Setting</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Purpose</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Enroll subject without requiring any user input</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>This option allows autoenrollment without any user interaction and is the default setting for both computer and user certificates. </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Prompt the user during enrollment</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>By disabling this option, users do not have to provide any input for the installation of a certificate based on the certificate template.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Prompt the user during enrollment and require user input when the private key is used</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>This option enables the user to set a strong private key protection password on the user's private key when the key is generated and requires the user to use it whenever the certificate and private key are used. </maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction></maml:section><maml:section>
<maml:title>Other version 3 request handling settings</maml:title><maml:introduction>
<maml:para>The <maml:ui>Request Handling</maml:ui> tab for version 3 certificate templates has been updated to provide support for the new options available on the <maml:ui>Cryptography</maml:ui> tab, along with other changes. The options are listed in the following table.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Setting</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Purpose</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Use advanced Symmetric algorithm to send the key to the CA</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>This option allows the administrator to choose the Advanced Encryption Standard (AES) algorithm to encrypt private keys while they are transferred to the CA for key archival. If this option is selected, the client will use AES-256 symmetric encryption (along with the CA's exchange certificate for asymmetric encryption) to send the private key to the CA for archival. If this option is not selected, the 3DES symmetric algorithm is used. Because key archival is intended for encryption keys (not signing keys), this option is enabled only when the certificate purpose is set to <maml:ui>Encryption</maml:ui>.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Authorize additional service accounts to access the private key</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>This option allows a custom access control list (ACL) to be defined on the private keys of computer certificates based on any version 3 computer certificate template except the root CA, subordinate CA, or cross-CA templates. A custom ACL is necessary only when a service account that requires access to the private key is not included in the default permissions. The default permissions applied to the private key by the Microsoft certificate enrollment client and software key storage provider include Full Control permission for the Administrators group and the Local System account. Non-Microsoft providers may apply different default permissions and may not support custom ACLs defined by using this option. Refer to your provider's documentation for more information.</maml:para><maml:alertSet class="note"><maml:title>Note </maml:title><maml:para>This option has replaced the <maml:ui>Add Read permissions to Network Service on the private key</maml:ui> option. In Windows Server 2008 R2, the default permissions applied to the private key of OCSP Response Signing certificates include Read permission for Online Responder service account and Full Control permission for the Administrators group and the Local System account.</maml:para></maml:alertSet></maml:entry>
</maml:row>
</maml:table>
<maml:para><br xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" /></maml:para>
<maml:para>For more information about options associated with version 3 certificate templates, see <maml:navigationLink><maml:linkText>Cryptography</maml:linkText><maml:uri href="mshelp://windows/?id=0eb289d1-2df5-47d3-a2be-ba231daa9858"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Other version 2 request handling settings</maml:title><maml:introduction>
<maml:para>In addition to key archival settings, you can define general options that affect all certificates based on version 2 certificate templates. The options are listed in the following table. </maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Setting</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Purpose</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Minimum key size</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>This specifies the minimum size, in bits, of the key that will be generated for this certificate.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para><maml:ui>Cryptographic service providers</maml:ui></maml:para>
</maml:entry>
<maml:entry>
<maml:para>This is a list of cryptographic service providers (CSPs) that will be used to enroll certificates for the given template. Selecting one or more CSPs configures the certificate to only work with those CSPs. The CSP must be installed on the client computer for the CSP to be used during enrollment. If a specific CSP is chosen and not available on a client computer, enrollment will fail.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Application Policy</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>Application policies give you the important ability to decide which certificates can be used for certain purposes. This allows you to issue certificates widely without being concerned that they are used for an unintended purpose.</maml:para>

<maml:para>Application policies are settings that inform a target that the subject holds a certificate that can be used to perform a specific task. They are represented in a certificate by an object identifier (also known as an OID) that is defined for a given application. This object identifier is included in the issued certificate. When a subject presents its certificate, the certificate can be examined by the certificate recipient to verify the application policy and determine if the subject can perform the requested action.</maml:para>

<maml:para>Application policies are sometimes called extended key usage or enhanced key usage. Because some implementations of public key infrastructure (PKI) applications cannot interpret application policies, both application policies and enhanced key usage sections appear in certificates issued by a Windows Server–based certification authority (CA). The following table lists some commonly used application policies.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Purpose</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Object Identifier</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Client Authentication</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.5.5.7.3.2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>CA Encryption Certificate</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.4.1.311.21.5</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Smart Card Logon</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.4.1.311.20.2.2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Document Signing</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.4.1.311.10.3.12</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>File Recovery</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.4.1.311.10.3.4.1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Key Recovery</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.4.1.311.10.3.11</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Microsoft Trust List Signing</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.4.1.311.10.3.1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Qualified Subordination</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.4.1.311.10.3.10</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Root List Signer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1.3.6.1.4.1.311.10.3.9</maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>The ability to modify or create new application policies is only available with version 2 and version 3 certificate templates. For more information, see <maml:navigationLink><maml:linkText>Default Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=e6868771-654b-44fd-9853-7cbdd9174f47"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Clients must be re-enrolled to receive a certificate based on a modified template if they already have a valid certificate based on the previous template. For more information about re-enrolling clients, see <maml:navigationLink><maml:linkText>Re-Enroll All Certificate Holders</maml:linkText><maml:uri href="mshelp://windows/?id=6d7cdf83-35a0-446a-aaaf-4f48dff43379"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To add an application policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the<maml:ui> Extensions </maml:ui>tab, click<maml:ui> Application Policies</maml:ui>, and then click<maml:ui> Edit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Edit Application Policies Extension</maml:ui>, click<maml:ui> Add</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Add Application Policy</maml:ui>, click the application policy that you want to add, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:para>The application policy that you want may not be available. In this case, you can create a new application policy.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure.  For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To create an application policy</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to change, and then click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Extensions</maml:ui> tab, click <maml:ui>Application Policies</maml:ui>, and then click <maml:ui>Edit</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Edit Application Policies Extension</maml:ui>, click <maml:ui>Add</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In <maml:ui>Add Application Policy</maml:ui>, click<maml:ui> New</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Provide the requested information.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Extensions</maml:linkText><maml:uri href="mshelp://windows/?id=646333b2-67c9-4e22-8cbc-be44a5e4bcc5"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Make Issuance or Application Policy Critical</maml:linkText><maml:uri href="mshelp://windows/?id=3510bd12-b297-40ab-b1f8-af72de3531a9"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Delete a Certificate Template</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>You can delete a certificate template when you no longer want it to be available for use. When you delete a certificate template, certificates based on the template can no longer be issued. If you are using enterprise certification authorities (CAs), this will affect all CAs in a forest. Certificate templates cannot be recovered once they are deleted.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To delete a certificate template</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certificate Templates snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the template you want to delete, and then click <maml:ui>Delete</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Yes</maml:ui> to confirm that you want to delete the template.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Install the Certificate Templates Snap-In</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>The Certificate Templates snap-in allows you to view and manage critical information about all the certificate templates in a domain. </maml:para>

<maml:para>Important fields in the Certificate Templates snap-in include:</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:phrase>Template Display Name</maml:phrase>. This field describes the purpose of the certificate. When an organization creates a custom certificate template, it may be useful to use a naming convention that helps administrators identify the certification authority (CA) or portion of the organization associated with the template.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Minimum Supported CAs</maml:phrase>. The configurable options in Windows-based certificate templates differ based on the operating system version. Therefore, not all certificate templates are supported by all Windows Server–based CAs.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:phrase>Version</maml:phrase>. If certificate template configurations evolve over time, the ability to track version information becomes important for compatibility and support.</maml:para>
</maml:listItem>
</maml:list>

<maml:para>You must be a local administrator to install the Certificate Templates snap-in and a member of <maml:phrase>Domain Admins</maml:phrase> to use the Certificate Templates snap-in. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To install the Certificate Templates snap-in</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, click <maml:ui>Run</maml:ui>, and then type <maml:userInput>mmc</maml:userInput>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Add and Remove Snap-ins</maml:ui> dialog box, double-click the <maml:ui>Certificate Templates</maml:ui> snap-in to add it to the list. Click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:para>By default, the Certificate Templates snap-in is installed automatically when a CA is installed on a server. The Certificate Templates snap-in can be installed on a different server by using Server Manager to install Active Directory Certificate Services (AD CS) tools. </maml:para>

<maml:para>You must be local administrator to install Remote Server Administration Tools. You must be a member of <maml:phrase>Domain Admins</maml:phrase> to access and administer certificate templates for a domain. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To administer certificate templates from a remote server</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open Server Manager.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Under <maml:ui>Features Summary</maml:ui>, click <maml:ui>Add Features</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Expand <maml:ui>Remote Server Administration Tools</maml:ui> and <maml:ui>Role Administration Tools</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Select the <maml:ui>Active Directory Certificate Services</maml:ui> check box, click <maml:ui>Next</maml:ui>, and then click <maml:ui>Install</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>When the installation process is finished, click <maml:ui>Close</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click <maml:ui>Start</maml:ui>, type <maml:userInput>mmc</maml:userInput>, and press ENTER.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>File</maml:ui> menu, click <maml:ui>Add/Remove Snap-in</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Certificate Templates</maml:ui> snap-in, click <maml:ui>Add</maml:ui>, verify that the domain controller hosting the certificate templates you want to manage is selected, and then click <maml:ui>OK</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>

<maml:para>You can use the Certificate Templates snap-in to manage certificate templates in a different domain.</maml:para>

<maml:para>You must be a domain or enterprise administrator for the other domain to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To manage certificate templates in a different domain</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Right-click the <maml:ui>Certificate Templates</maml:ui> snap-in, and click <maml:ui>Connect to another writable domain controller</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>To type the name of a different domain, click <maml:ui>Change</maml:ui>. To select a different domain controller for the existing domain, click <maml:ui>Select a Writable Domain Controller</maml:ui>. </maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>If you have previously selected an alternate domain controller, you can revert to the original domain controller by clicking <maml:ui>Default Writable Domain Controller</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Managing Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Implement Role-Based Administration</maml:title><maml:introduction>
<maml:para>You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user's security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.   </maml:para>


<maml:para>The following table describes the roles, users, and groups that can be used to implement role-based administration. To assign a role to a user or group, you must assign the role's corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Roles and groups</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Security permission</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>CA administrator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Manage CA </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate. These permissions are assigned by using the Certification Authority snap-in.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Certificate manager</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Issue and Manage Certificates </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Backup operator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Back up file and directories </maml:para>

<maml:para>Restore file and directories </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Perform system backup and recovery. Backup is an operating system feature.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Auditor</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Manage auditing and security log </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Configure, view, and maintain audit logs. Auditing is an operating system feature. Auditor is an operating system role.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Enrollees</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Read<maml:ui> </maml:ui></maml:para>

<maml:para>Enroll</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enrollees are clients who are authorized to request certificates from a CA. This is not a CA role.</maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>All CA roles are assigned and modified by members of local <maml:phrase>Administrators</maml:phrase>, <maml:phrase>Enterprise Admins</maml:phrase>, or <maml:phrase>Domain Admins</maml:phrase>. On enterprise CAs, local administrators, enterprise administrators, and domain administrators are CA administrators by default. Only local administrators are CA administrators by default on a stand-alone CA. If a stand-alone CA is installed on a server that is joined to an Active Directory domain, domain administrators are also CA administrators.</maml:para>

<maml:para>The CA administrator and certificate manager roles can be assigned to Active Directory users or local users in the Security Accounts Manager (SAM) of the local computer, which is the local security account database. As a best practice, you should assign roles to group accounts instead of individual user accounts.</maml:para>

<maml:para>Only CA administrator, certificate manager, auditor, and backup operator are CA roles. The other users described in the table are relevant to role-based administration and should be understood before assigning CA roles.</maml:para>

<maml:para>Only CA administrators and certificate managers are assigned by using the Certification Authority snap-in. To change the permissions of a user or group, you must change the user's security permissions, group membership, or user rights.</maml:para>

<maml:procedure><maml:title>To set CA administrator and certificate manager security permissions for a CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click the name of the CA.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>On the <maml:ui>Action</maml:ui> menu, click <maml:ui>Properties</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Click the <maml:ui>Security</maml:ui> tab, and specify the security permissions.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction><maml:content><maml:sections><maml:section>
<maml:title>Roles and activities</maml:title><maml:introduction>
<maml:para>Each CA role has a specific list of CA administration tasks associated with it. The following table lists all the CA administration tasks along with the roles in which they are performed.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Activity</maml:para>
</maml:entry>
<maml:entry>
<maml:para>CA administrator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Certificate manager</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Auditor</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Backup operator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Local administrator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Notes</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Install CAs</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Configure policy and exit modules</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Stop and start the Active Directory Certificate Services (AD CS) service</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Configure extensions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Configure roles</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Renew CA keys</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Define key recovery agents</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Configure certificate manager restrictions</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Delete a single row in the CA database</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Delete multiple rows in the CA database (bulk deletion)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>The user must be both a CA administrator and a certificate manager. This activity cannot be performed when role separation is enforced.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Enable role separation</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Issue and approve certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Deny certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Revoke certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Reactivate certificates that are placed on hold</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Renew certificates</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Enable, publish, or configure certificate revocation list (CRL) schedules</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Recover archived keys</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Only a certificate manager can retrieve the encrypted key data structure from the CA database. The private key of a valid key recovery agent is required to decrypt the key data structure and generate a PKCS #12 file.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Configure audit parameters</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system audit</maml:phrase> user right.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Audit logs</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system audit</maml:phrase> user right.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Back up the system</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system backup</maml:phrase> user right.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Restore the system</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system backup</maml:phrase> user right.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Read the CA database</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system audit </maml:phrase>and<maml:phrase> system backup</maml:phrase> user rights.</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Read CA configuration information</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para>X</maml:para>
</maml:entry>
<maml:entry>
<maml:para> </maml:para>
</maml:entry>
<maml:entry>
<maml:para>By default, the local administrator holds the <maml:phrase>system audit </maml:phrase>and<maml:phrase> system backup</maml:phrase> user rights.</maml:para>
</maml:entry></maml:row>
</maml:table>
</maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional considerations</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para>Enrollees are allowed to read CA properties and CRLs, and they can request certificates. On an enterprise CA, a user must have Read and Enroll permissions on the certificate template to request a certificate. CA administrators, certificate managers, auditors, and backup operators have implicit Read permissions.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>An auditor holds the <maml:phrase>system audit</maml:phrase> user right.</maml:para>
</maml:listItem>

<maml:listItem>
<maml:para>A backup operator holds the <maml:phrase>system backup</maml:phrase> user right. In addition, the backup operator has the ability to start and stop the Active Directory Certificate Services (AD CS) service.</maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section><maml:section address="assign_RBA_roles">
<maml:title>Assigning roles</maml:title><maml:introduction>
<maml:para>The CA administrator for a CA assigns users to the separate roles of role-based administration by applying the security settings required by a role to the user's account. The CA administrator can assign a user to more than one role, but the CA is more secure when each user is assigned to only one role. When this delegation strategy is used, fewer CA tasks can be compromised if a user's account becomes compromised.</maml:para>
</maml:introduction></maml:section><maml:section>
<maml:title>Administrator concerns</maml:title><maml:introduction>
<maml:para>The default installation setting for a stand-alone CA is to have members of the local <maml:phrase>Administrators</maml:phrase> group as CA administrators. The default installation setting for an enterprise CA is to have members of the local <maml:phrase>Administrators</maml:phrase>, <maml:phrase>Enterprise Admins</maml:phrase>, and <maml:phrase>Domain Admins</maml:phrase> groups as CA administrators. To limit the power of any of these accounts, they should be removed from the CA administrator and certificate manager roles when all CA roles are assigned.</maml:para>

<maml:para>As a best practice, group accounts that have been assigned CA administrator or certificate manager roles should not be members of the local <maml:phrase>Administrators</maml:phrase> group. Also, CA roles should only be assigned to group accounts and not individual user accounts.       </maml:para>

<maml:alertSet class="note"><maml:title>Note </maml:title>
<maml:para>Membership in the local <maml:phrase>Administrators</maml:phrase> group on the CA is required to renew a CA certificate. Members of this group can assume administrative authority over all other CA roles.</maml:para>
</maml:alertSet>
</maml:introduction></maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Configure Certificate Enrollment</maml:title><maml:introduction>
<maml:para>Active Directory Certificate Services (AD CS) supports a variety of enrollment and renewal methods, such as the Certificate Request Wizard and AD CS Web enrollment. However, if you deploy non-Microsoft certification authorities or custom certificate enrollment and renewal applications, you must perform any configuration required for those services and applications.</maml:para>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Default Certificate Templates</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>A number of preconfigured certificate templates that are designed to meet the needs of most organizations are included with Windows Server 2008–based enterprise certification authorities (CAs). These templates are described in the following table.</maml:para>

<maml:table>
<maml:tableHeader>
<maml:row>
<maml:entry>
<maml:para>Name</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Description</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Key usage</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Subject type</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Published to Active Directory Domain Services (AD DS)?</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Template version</maml:para>
</maml:entry></maml:row>
</maml:tableHeader>

<maml:row>
<maml:entry>
<maml:para>Administrator</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows trust list signing and user authentication.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Authenticated Session</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows the subject to authenticate to a Web server.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Basic EFS</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by Encrypting File System (EFS) to encrypt data.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>CA Exchange</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to store keys that are configured for private key archival.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>CEP Encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows the certificate holder to act as a registration authority for Simple Certificate Enrollment Protocol (SCEP) requests.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Code Signing</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to digitally sign software.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows a computer to authenticate itself on the network.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Cross-Certification Authority</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used for cross-certification and qualified subordination. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Cross-certified CA</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Directory E-mail Replication</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to replicate e-mail within AD DS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Domain Controller</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by domain controllers as all-purpose certificates.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Domain Controller Authentication</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to authenticate Active Directory computers and users.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>EFS Recovery Agent</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows the subject to decrypt files that were previously encrypted with EFS.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Enrollment Agent</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to request certificates on behalf of another subject.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Enrollment Agent (Computer)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to request certificates on behalf of another computer subject.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Exchange Enrollment Agent (Offline request)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to request certificates on behalf of another subject and supply the subject name in the request.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Exchange Signature Only</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by the Microsoft Exchange Key Management Service to issue certificates to Exchange users for digitally signing e-mail.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Exchange User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by the Microsoft Exchange Key Management Service to issue certificates to Exchange users for encrypting e-mail.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>IPSEC</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by Internet Protocol security (IPsec) to digitally sign, encrypt, and decrypt network communication.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>IPSEC (Offline request)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by IPsec to digitally sign, encrypt, and decrypt network communication when the subject name is supplied in the request.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Kerberos Authentication</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to authenticate Active Directory computers and users.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Key Recovery Agent</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Recovers private keys that are archived on the CA. </maml:para>
</maml:entry>
<maml:entry>
<maml:para>Encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Key recovery agent</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>OCSP Response Signing</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by an Online Responder to sign responses to certificate status requests.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>3</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>RAS and IAS Server</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enables remote access servers and Internet Authentication Service (IAS) servers to authenticate their identity to other computers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Root Certification Authority</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to prove the identity of the root CA.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>CA</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Router (Offline request)</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by a router when requested through a SCEP request from a CA that holds a CEP Encryption certificate.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Smartcard Logon</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows the holder to authenticate by using a smart card.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Smartcard User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows the holder to authenticate and protect e-mail by using a smart card.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Subordinate Certification Authority</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used to prove the identity of the root CA. It is issued by the parent or root CA.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>CA</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Trust List Signing</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows the holder to digitally sign a trust list.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Used by users for e-mail, EFS, and client authentication.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Yes</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>User Signature Only</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Allows users to digitally sign data.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature</maml:para>
</maml:entry>
<maml:entry>
<maml:para>User</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Web Server</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Proves the identity of a Web server.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>1</maml:para>
</maml:entry></maml:row>

<maml:row>
<maml:entry>
<maml:para>Workstation Authentication</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Enables client computers to authenticate their identity to servers.</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Signature and encryption</maml:para>
</maml:entry>
<maml:entry>
<maml:para>Computer</maml:para>
</maml:entry>
<maml:entry>
<maml:para>No</maml:para>
</maml:entry>
<maml:entry>
<maml:para>2</maml:para>
</maml:entry></maml:row>
</maml:table>

<maml:para>When you duplicate a version 1 or version 2 certificate template, you can make the duplicate a version 2 or version 3 template in order to configure the advanced options available with the later versions. However, version 3 certificate templates can only be issued by Windows Server 2008–based enterprise CAs and used by clients on computers running Windows Server 2008 or Windows Vista. For more information, see <maml:navigationLink><maml:linkText>Certificate Template Versions</maml:linkText><maml:uri href="mshelp://windows/?id=3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed"></maml:uri></maml:navigationLink>.</maml:para>

<maml:para>For information about configuration options for certificate templates, see <maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink>.</maml:para>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Certificate Template Concepts</maml:linkText><maml:uri href="mshelp://windows/?id=85e1436e-4c52-489a-93a2-6603f1abadf7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Remove a Certificate Template from a Certification Authority</maml:title><maml:introduction></maml:introduction><maml:content><maml:sections><maml:section><maml:title></maml:title><maml:introduction>
<maml:para>At times it may be necessary to remove a certificate template from a certification authority (CA), such as to avoid confusion when a newer version of the certificate template is being added.</maml:para>

<maml:para>Membership in <maml:phrase>Domain Admins</maml:phrase> or <maml:phrase>Enterprise Admins</maml:phrase>, or equivalent, is the minimum required to complete this procedure. For more information, see <maml:navigationLink><maml:linkText>Implement Role-Based Administration</maml:linkText><maml:uri href="mshelp://windows/?id=c651f8cf-5c84-42c0-9a61-37e0000e6989"></maml:uri></maml:navigationLink>.</maml:para>

<maml:procedure><maml:title>To remove a certificate template from a CA</maml:title><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>Open the Certification Authority snap-in.</maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the console tree, click <maml:ui>Certificate Templates.</maml:ui></maml:para>
</maml:section></maml:sections></maml:step><maml:step><maml:sections><maml:section><maml:title></maml:title>
<maml:para>In the details pane, right-click the certificate template that you want to delete, and then click<maml:ui> Delete</maml:ui>.</maml:para>
</maml:section></maml:sections></maml:step></maml:procedure>
</maml:introduction>
<maml:sections>
<maml:section><maml:title></maml:title><maml:introduction></maml:introduction>
<maml:sections>
<maml:section>
<maml:title>Additional references</maml:title><maml:introduction>
<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Deploying Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=5e47ee01-62f0-4033-8d21-c02b2bb32781"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction></maml:section>
</maml:sections>
</maml:section>
</maml:sections>
</maml:section></maml:sections></maml:content></maml:conceptual><maml:conceptual contentType="conceptual" xmlns:maml="http://schemas.microsoft.com/maml/2004/10" xmlns:dev="http://schemas.microsoft.com/maml/dev/2004/10"><maml:title>Managing Certificate Templates</maml:title><maml:introduction>
<maml:para>The topics in this section describe how to complete the following basic certificate template management tasks.</maml:para>

<maml:list class="unordered">
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Install the Certificate Templates Snap-In</maml:linkText><maml:uri href="mshelp://windows/?id=c3077a44-da11-4b06-a2dc-599c7251f6e3"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Connect to a Writable Domain Controller</maml:linkText><maml:uri href="mshelp://windows/?id=831d299b-4f8f-4d9c-9d43-15c6b6cc93ea"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Upgrade Existing Templates</maml:linkText><maml:uri href="mshelp://windows/?id=39b97b49-7fea-4d13-a031-749165f26783"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Create a New Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=1b15e7e5-3a77-4817-9bcc-f327cd777716"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Delete a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=bdcffb35-6560-4cf6-8cb8-8281910dabb4"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Rename a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=6269c006-a8c8-409b-922b-3c3ba0e20bb7"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Configuring a Certificate Template</maml:linkText><maml:uri href="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>

<maml:listItem>
<maml:para><maml:navigationLink><maml:linkText>Issuing Certificates Based on Certificate Templates</maml:linkText><maml:uri href="mshelp://windows/?id=1ddf06ed-615d-4e24-ba43-468fb0da6c13"></maml:uri></maml:navigationLink></maml:para>
</maml:listItem>
</maml:list>
</maml:introduction><maml:content><maml:sections></maml:sections></maml:content></maml:conceptual><?xml version="1.0" encoding="utf-8"?>
<HelpCollection Id="certtmpl" DTDVersion="1.0" FileVersion="" LangId="1033" Copyright="© 2005 Microsoft Corporation. All rights reserved." Title="Certificate Templates" xmlns="http://schemas.microsoft.com/help/collection/2004/11">
	<CompilerOptions CompileResult="H1S" CreateFullTextIndex="Yes" BreakerId="Microsoft.NLG.en.WordBreaker">
		<IncludeFile File="certtmpl.H1F" />
	</CompilerOptions>
	<TOCDef File="certtmpl.H1T" Id="certtmpl_TOC" />
	<VTopicDef File="certtmpl.H1V" />
	<KeywordIndexDef File="certtmpl_AssetId.H1K" />
	<KeywordIndexDef File="certtmpl_BestBet.H1K" />
	<KeywordIndexDef File="certtmpl_LinkTerm.H1K" />
	<KeywordIndexDef File="certtmpl_SubjectTerm.H1K" />
	<ItemMoniker Name="!DefaultTOC" ProgId="HxDs.HxHierarchy" InitData="AnyString" />
	<ItemMoniker Name="!DefaultFullTextSearch" ProgId="HxDs.HxFullTextSearch" InitData="AnyString" />
	<ItemMoniker Name="!DefaultAssetIdIndex" ProgId="HxDs.HxIndex" InitData="AssetId" />
	<ItemMoniker Name="!DefaultBestBetIndex" ProgId="HxDs.HxIndex" InitData="BestBet" />
	<ItemMoniker Name="!DefaultAssociativeIndex" ProgId="HxDs.HxIndex" InitData="LinkTerm" />
	<ItemMoniker Name="!DefaultKeywordIndex" ProgId="HxDs.HxIndex" InitData="SubjectTerm" />
</HelpCollection><?xml version="1.0" encoding="utf-8"?>
<HelpFileList xmlns="http://schemas.microsoft.com/help/filelist/2004/11">
	<File Url="assets\0749af8d-c195-49b8-96f6-3a9a6568b520.xml" />
	<File Url="assets\08bab27e-830a-4153-bf33-271dce69f99b.xml" />
	<File Url="assets\0acbd7fe-62b1-4aba-9cef-351e56075434.xml" />
	<File Url="assets\0eb289d1-2df5-47d3-a2be-ba231daa9858.xml" />
	<File Url="assets\1134786d-baae-47e7-ab30-286e21b180d2.xml" />
	<File Url="assets\194c4281-a5bf-4be1-9e4e-61f7b500066e.xml" />
	<File Url="assets\1b15e7e5-3a77-4817-9bcc-f327cd777716.xml" />
	<File Url="assets\1da52796-c5ad-439f-af38-9818e26fe356.xml" />
	<File Url="assets\1ddf06ed-615d-4e24-ba43-468fb0da6c13.xml" />
	<File Url="assets\3510bd12-b297-40ab-b1f8-af72de3531a9.xml" />
	<File Url="assets\39b97b49-7fea-4d13-a031-749165f26783.xml" />
	<File Url="assets\3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed.xml" />
	<File Url="assets\461a7e73-4910-4108-81c3-4a21a3c9a895.xml" />
	<File Url="assets\4a9be825-e97d-4b0c-8b7b-a1f74a816619.xml" />
	<File Url="assets\534a3eb2-05ea-470e-a4af-047927eabe14.xml" />
	<File Url="assets\5e47ee01-62f0-4033-8d21-c02b2bb32781.xml" />
	<File Url="assets\625a2bc3-73c5-4084-b78d-c37ac00f96ae.xml" />
	<File Url="assets\6269c006-a8c8-409b-922b-3c3ba0e20bb7.xml" />
	<File Url="assets\646333b2-67c9-4e22-8cbc-be44a5e4bcc5.xml" />
	<File Url="assets\6d7cdf83-35a0-446a-aaaf-4f48dff43379.xml" />
	<File Url="assets\831d299b-4f8f-4d9c-9d43-15c6b6cc93ea.xml" />
	<File Url="assets\85e1436e-4c52-489a-93a2-6603f1abadf7.xml" />
	<File Url="assets\8a274218-b04e-4b50-b966-e050f6a4c04c.xml" />
	<File Url="assets\8a4b5b45-3723-4f22-a487-a52dd95d7a65.xml" />
	<File Url="assets\8c050288-46c9-4991-a6ab-df3ef8de0535.xml" />
	<File Url="assets\96dd619c-78c6-4be5-930b-eef928720262.xml" />
	<File Url="assets\9b9063e6-0cb3-40ce-9217-cfa19426c6b0.xml" />
	<File Url="assets\a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612.xml" />
	<File Url="assets\acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b.xml" />
	<File Url="assets\b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415.xml" />
	<File Url="assets\b493c46c-97d8-4dac-9144-33648f3499cb.xml" />
	<File Url="assets\bdcffb35-6560-4cf6-8cb8-8281910dabb4.xml" />
	<File Url="assets\c3077a44-da11-4b06-a2dc-599c7251f6e3.xml" />
	<File Url="assets\c651f8cf-5c84-42c0-9a61-37e0000e6989.xml" />
	<File Url="assets\e236f324-c343-4efa-8728-aa97626a452c.xml" />
	<File Url="assets\e6868771-654b-44fd-9853-7cbdd9174f47.xml" />
	<File Url="assets\f6d90c10-d921-4f70-8a02-f3e525efa7b3.xml" />
	<File Url="assets\fabc1c44-f2a2-43e1-b52e-9b12a1f19a33.xml" />
</HelpFileList><?xml version="1.0" encoding="utf-8"?>
<VTopicSet DTDVersion="1.0" xmlns="http://schemas.microsoft.com/help/vtopic/2004/11">
	<Vtopic Url="assets\0749af8d-c195-49b8-96f6-3a9a6568b520.xml" RLTitle="Allow Subjects to Request a Certificate Based on a Template">
		<Attr Name="assetid" Value="0749af8d-c195-49b8-96f6-3a9a6568b520" />
		<Keyword Index="AssetId" Term="0749af8d-c195-49b8-96f6-3a9a6568b520" />
		<Keyword Index="AssetId" Term="0749af8d-c195-49b8-96f6-3a9a6568b5201033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="0749af8d-c195-49b8-96f6-3a9a6568b520" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\08bab27e-830a-4153-bf33-271dce69f99b.xml" RLTitle="Supersede Templates">
		<Attr Name="assetid" Value="08bab27e-830a-4153-bf33-271dce69f99b" />
		<Keyword Index="AssetId" Term="08bab27e-830a-4153-bf33-271dce69f99b" />
		<Keyword Index="AssetId" Term="08bab27e-830a-4153-bf33-271dce69f99b1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="08bab27e-830a-4153-bf33-271dce69f99b" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\0acbd7fe-62b1-4aba-9cef-351e56075434.xml" RLTitle="Issuance Requirements">
		<Attr Name="assetid" Value="0acbd7fe-62b1-4aba-9cef-351e56075434" />
		<Keyword Index="AssetId" Term="0acbd7fe-62b1-4aba-9cef-351e56075434" />
		<Keyword Index="AssetId" Term="0acbd7fe-62b1-4aba-9cef-351e560754341033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="0acbd7fe-62b1-4aba-9cef-351e56075434" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\0eb289d1-2df5-47d3-a2be-ba231daa9858.xml" RLTitle="Cryptography">
		<Attr Name="assetid" Value="0eb289d1-2df5-47d3-a2be-ba231daa9858" />
		<Keyword Index="AssetId" Term="0eb289d1-2df5-47d3-a2be-ba231daa9858" />
		<Keyword Index="AssetId" Term="0eb289d1-2df5-47d3-a2be-ba231daa98581033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="0eb289d1-2df5-47d3-a2be-ba231daa9858" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\1134786d-baae-47e7-ab30-286e21b180d2.xml" RLTitle="Set Up Automatic Certificate Enrollment">
		<Attr Name="assetid" Value="1134786d-baae-47e7-ab30-286e21b180d2" />
		<Keyword Index="AssetId" Term="1134786d-baae-47e7-ab30-286e21b180d2" />
		<Keyword Index="AssetId" Term="1134786d-baae-47e7-ab30-286e21b180d21033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="1134786d-baae-47e7-ab30-286e21b180d2" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\194c4281-a5bf-4be1-9e4e-61f7b500066e.xml" RLTitle="Certificate Template General Properties">
		<Attr Name="assetid" Value="194c4281-a5bf-4be1-9e4e-61f7b500066e" />
		<Keyword Index="AssetId" Term="194c4281-a5bf-4be1-9e4e-61f7b500066e" />
		<Keyword Index="AssetId" Term="194c4281-a5bf-4be1-9e4e-61f7b500066e1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="194c4281-a5bf-4be1-9e4e-61f7b500066e" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\1b15e7e5-3a77-4817-9bcc-f327cd777716.xml" RLTitle="Create a New Certificate Template">
		<Attr Name="assetid" Value="1b15e7e5-3a77-4817-9bcc-f327cd777716" />
		<Keyword Index="AssetId" Term="1b15e7e5-3a77-4817-9bcc-f327cd777716" />
		<Keyword Index="AssetId" Term="1b15e7e5-3a77-4817-9bcc-f327cd7777161033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="1b15e7e5-3a77-4817-9bcc-f327cd777716" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\1da52796-c5ad-439f-af38-9818e26fe356.xml" RLTitle="Certificate Template Server">
		<Attr Name="assetid" Value="1da52796-c5ad-439f-af38-9818e26fe356" />
		<Keyword Index="AssetId" Term="1da52796-c5ad-439f-af38-9818e26fe356" />
		<Keyword Index="AssetId" Term="1da52796-c5ad-439f-af38-9818e26fe3561033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="1da52796-c5ad-439f-af38-9818e26fe356" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\1ddf06ed-615d-4e24-ba43-468fb0da6c13.xml" RLTitle="Issuing Certificates Based on Certificate Templates">
		<Attr Name="assetid" Value="1ddf06ed-615d-4e24-ba43-468fb0da6c13" />
		<Keyword Index="AssetId" Term="1ddf06ed-615d-4e24-ba43-468fb0da6c13" />
		<Keyword Index="AssetId" Term="1ddf06ed-615d-4e24-ba43-468fb0da6c131033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="1ddf06ed-615d-4e24-ba43-468fb0da6c13" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\3510bd12-b297-40ab-b1f8-af72de3531a9.xml" RLTitle="Make Issuance or Application Policy Critical">
		<Attr Name="assetid" Value="3510bd12-b297-40ab-b1f8-af72de3531a9" />
		<Keyword Index="AssetId" Term="3510bd12-b297-40ab-b1f8-af72de3531a9" />
		<Keyword Index="AssetId" Term="3510bd12-b297-40ab-b1f8-af72de3531a91033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="3510bd12-b297-40ab-b1f8-af72de3531a9" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\39b97b49-7fea-4d13-a031-749165f26783.xml" RLTitle="Upgrade Existing Templates">
		<Attr Name="assetid" Value="39b97b49-7fea-4d13-a031-749165f26783" />
		<Keyword Index="AssetId" Term="39b97b49-7fea-4d13-a031-749165f26783" />
		<Keyword Index="AssetId" Term="39b97b49-7fea-4d13-a031-749165f267831033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="39b97b49-7fea-4d13-a031-749165f26783" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed.xml" RLTitle="Certificate Template Versions">
		<Attr Name="assetid" Value="3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed" />
		<Keyword Index="AssetId" Term="3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed" />
		<Keyword Index="AssetId" Term="3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\461a7e73-4910-4108-81c3-4a21a3c9a895.xml" RLTitle="Troubleshooting Certificate Templates">
		<Attr Name="assetid" Value="461a7e73-4910-4108-81c3-4a21a3c9a895" />
		<Keyword Index="AssetId" Term="461a7e73-4910-4108-81c3-4a21a3c9a895" />
		<Keyword Index="AssetId" Term="461a7e73-4910-4108-81c3-4a21a3c9a8951033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="461a7e73-4910-4108-81c3-4a21a3c9a895" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\4a9be825-e97d-4b0c-8b7b-a1f74a816619.xml" RLTitle="Subject Names">
		<Attr Name="assetid" Value="4a9be825-e97d-4b0c-8b7b-a1f74a816619" />
		<Keyword Index="AssetId" Term="4a9be825-e97d-4b0c-8b7b-a1f74a816619" />
		<Keyword Index="AssetId" Term="4a9be825-e97d-4b0c-8b7b-a1f74a8166191033" />
		<Attr Name="appliesToProduct" Value="Windows 7" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="4a9be825-e97d-4b0c-8b7b-a1f74a816619" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\534a3eb2-05ea-470e-a4af-047927eabe14.xml" RLTitle="Key Usage">
		<Attr Name="assetid" Value="534a3eb2-05ea-470e-a4af-047927eabe14" />
		<Keyword Index="AssetId" Term="534a3eb2-05ea-470e-a4af-047927eabe14" />
		<Keyword Index="AssetId" Term="534a3eb2-05ea-470e-a4af-047927eabe141033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="534a3eb2-05ea-470e-a4af-047927eabe14" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\5e47ee01-62f0-4033-8d21-c02b2bb32781.xml" RLTitle="Deploying Certificate Templates">
		<Attr Name="assetid" Value="5e47ee01-62f0-4033-8d21-c02b2bb32781" />
		<Keyword Index="AssetId" Term="5e47ee01-62f0-4033-8d21-c02b2bb32781" />
		<Keyword Index="AssetId" Term="5e47ee01-62f0-4033-8d21-c02b2bb327811033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="5e47ee01-62f0-4033-8d21-c02b2bb32781" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\625a2bc3-73c5-4084-b78d-c37ac00f96ae.xml" RLTitle="Certificate Templates">
		<Attr Name="assetid" Value="625a2bc3-73c5-4084-b78d-c37ac00f96ae" />
		<Keyword Index="AssetId" Term="625a2bc3-73c5-4084-b78d-c37ac00f96ae" />
		<Keyword Index="AssetId" Term="625a2bc3-73c5-4084-b78d-c37ac00f96ae1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="625a2bc3-73c5-4084-b78d-c37ac00f96ae" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\6269c006-a8c8-409b-922b-3c3ba0e20bb7.xml" RLTitle="Rename a Certificate Template">
		<Attr Name="assetid" Value="6269c006-a8c8-409b-922b-3c3ba0e20bb7" />
		<Keyword Index="AssetId" Term="6269c006-a8c8-409b-922b-3c3ba0e20bb7" />
		<Keyword Index="AssetId" Term="6269c006-a8c8-409b-922b-3c3ba0e20bb71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="6269c006-a8c8-409b-922b-3c3ba0e20bb7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\646333b2-67c9-4e22-8cbc-be44a5e4bcc5.xml" RLTitle="Certificate Template Extensions">
		<Attr Name="assetid" Value="646333b2-67c9-4e22-8cbc-be44a5e4bcc5" />
		<Keyword Index="AssetId" Term="646333b2-67c9-4e22-8cbc-be44a5e4bcc5" />
		<Keyword Index="AssetId" Term="646333b2-67c9-4e22-8cbc-be44a5e4bcc51033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="646333b2-67c9-4e22-8cbc-be44a5e4bcc5" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\6d7cdf83-35a0-446a-aaaf-4f48dff43379.xml" RLTitle="Re-Enroll All Certificate Holders">
		<Attr Name="assetid" Value="6d7cdf83-35a0-446a-aaaf-4f48dff43379" />
		<Keyword Index="AssetId" Term="6d7cdf83-35a0-446a-aaaf-4f48dff43379" />
		<Keyword Index="AssetId" Term="6d7cdf83-35a0-446a-aaaf-4f48dff433791033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="6d7cdf83-35a0-446a-aaaf-4f48dff43379" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\831d299b-4f8f-4d9c-9d43-15c6b6cc93ea.xml" RLTitle="Connect to a Writable Domain Controller">
		<Attr Name="assetid" Value="831d299b-4f8f-4d9c-9d43-15c6b6cc93ea" />
		<Keyword Index="AssetId" Term="831d299b-4f8f-4d9c-9d43-15c6b6cc93ea" />
		<Keyword Index="AssetId" Term="831d299b-4f8f-4d9c-9d43-15c6b6cc93ea1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="831d299b-4f8f-4d9c-9d43-15c6b6cc93ea" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\85e1436e-4c52-489a-93a2-6603f1abadf7.xml" RLTitle="Certificate Template Concepts">
		<Attr Name="assetid" Value="85e1436e-4c52-489a-93a2-6603f1abadf7" />
		<Keyword Index="AssetId" Term="85e1436e-4c52-489a-93a2-6603f1abadf7" />
		<Keyword Index="AssetId" Term="85e1436e-4c52-489a-93a2-6603f1abadf71033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="85e1436e-4c52-489a-93a2-6603f1abadf7" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\8a274218-b04e-4b50-b966-e050f6a4c04c.xml" RLTitle="Object Identifiers">
		<Attr Name="assetid" Value="8a274218-b04e-4b50-b966-e050f6a4c04c" />
		<Keyword Index="AssetId" Term="8a274218-b04e-4b50-b966-e050f6a4c04c" />
		<Keyword Index="AssetId" Term="8a274218-b04e-4b50-b966-e050f6a4c04c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="8a274218-b04e-4b50-b966-e050f6a4c04c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\8a4b5b45-3723-4f22-a487-a52dd95d7a65.xml" RLTitle="Add a Certificate Template to a Certification Authority">
		<Attr Name="assetid" Value="8a4b5b45-3723-4f22-a487-a52dd95d7a65" />
		<Keyword Index="AssetId" Term="8a4b5b45-3723-4f22-a487-a52dd95d7a65" />
		<Keyword Index="AssetId" Term="8a4b5b45-3723-4f22-a487-a52dd95d7a651033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="8a4b5b45-3723-4f22-a487-a52dd95d7a65" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\8c050288-46c9-4991-a6ab-df3ef8de0535.xml" RLTitle="Additional Resources for Certificate Templates">
		<Attr Name="assetid" Value="8c050288-46c9-4991-a6ab-df3ef8de0535" />
		<Keyword Index="AssetId" Term="8c050288-46c9-4991-a6ab-df3ef8de0535" />
		<Keyword Index="AssetId" Term="8c050288-46c9-4991-a6ab-df3ef8de05351033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="8c050288-46c9-4991-a6ab-df3ef8de0535" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\96dd619c-78c6-4be5-930b-eef928720262.xml" RLTitle="Configure Certificate Publishing in Active Directory Domain Services">
		<Attr Name="assetid" Value="96dd619c-78c6-4be5-930b-eef928720262" />
		<Keyword Index="AssetId" Term="96dd619c-78c6-4be5-930b-eef928720262" />
		<Keyword Index="AssetId" Term="96dd619c-78c6-4be5-930b-eef9287202621033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="96dd619c-78c6-4be5-930b-eef928720262" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\9b9063e6-0cb3-40ce-9217-cfa19426c6b0.xml" RLTitle="Modify an Issuance Policy">
		<Attr Name="assetid" Value="9b9063e6-0cb3-40ce-9217-cfa19426c6b0" />
		<Keyword Index="AssetId" Term="9b9063e6-0cb3-40ce-9217-cfa19426c6b0" />
		<Keyword Index="AssetId" Term="9b9063e6-0cb3-40ce-9217-cfa19426c6b01033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="9b9063e6-0cb3-40ce-9217-cfa19426c6b0" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612.xml" RLTitle="Configuring a Certificate Template">
		<Attr Name="assetid" Value="a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612" />
		<Keyword Index="AssetId" Term="a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612" />
		<Keyword Index="AssetId" Term="a7b1fd5a-ffc0-4cf0-a315-e6ec4f5976121033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b.xml" RLTitle="Basic Constraints">
		<Attr Name="assetid" Value="acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b" />
		<Keyword Index="AssetId" Term="acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b" />
		<Keyword Index="AssetId" Term="acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415.xml" RLTitle="Request Handling">
		<Attr Name="assetid" Value="b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415" />
		<Keyword Index="AssetId" Term="b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415" />
		<Keyword Index="AssetId" Term="b0fcf6c9-bd3d-4e1e-bd94-8e306a6d24151033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\b493c46c-97d8-4dac-9144-33648f3499cb.xml" RLTitle="Application Policy">
		<Attr Name="assetid" Value="b493c46c-97d8-4dac-9144-33648f3499cb" />
		<Keyword Index="AssetId" Term="b493c46c-97d8-4dac-9144-33648f3499cb" />
		<Keyword Index="AssetId" Term="b493c46c-97d8-4dac-9144-33648f3499cb1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="b493c46c-97d8-4dac-9144-33648f3499cb" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\bdcffb35-6560-4cf6-8cb8-8281910dabb4.xml" RLTitle="Delete a Certificate Template">
		<Attr Name="assetid" Value="bdcffb35-6560-4cf6-8cb8-8281910dabb4" />
		<Keyword Index="AssetId" Term="bdcffb35-6560-4cf6-8cb8-8281910dabb4" />
		<Keyword Index="AssetId" Term="bdcffb35-6560-4cf6-8cb8-8281910dabb41033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="bdcffb35-6560-4cf6-8cb8-8281910dabb4" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\c3077a44-da11-4b06-a2dc-599c7251f6e3.xml" RLTitle="Install the Certificate Templates Snap-In">
		<Attr Name="assetid" Value="c3077a44-da11-4b06-a2dc-599c7251f6e3" />
		<Keyword Index="AssetId" Term="c3077a44-da11-4b06-a2dc-599c7251f6e3" />
		<Keyword Index="AssetId" Term="c3077a44-da11-4b06-a2dc-599c7251f6e31033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="c3077a44-da11-4b06-a2dc-599c7251f6e3" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\c651f8cf-5c84-42c0-9a61-37e0000e6989.xml" RLTitle="Implement Role-Based Administration">
		<Attr Name="assetid" Value="c651f8cf-5c84-42c0-9a61-37e0000e6989" />
		<Keyword Index="AssetId" Term="c651f8cf-5c84-42c0-9a61-37e0000e6989" />
		<Keyword Index="AssetId" Term="c651f8cf-5c84-42c0-9a61-37e0000e69891033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="c651f8cf-5c84-42c0-9a61-37e0000e6989" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e236f324-c343-4efa-8728-aa97626a452c.xml" RLTitle="Configure Certificate Enrollment">
		<Attr Name="assetid" Value="e236f324-c343-4efa-8728-aa97626a452c" />
		<Keyword Index="AssetId" Term="e236f324-c343-4efa-8728-aa97626a452c" />
		<Keyword Index="AssetId" Term="e236f324-c343-4efa-8728-aa97626a452c1033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e236f324-c343-4efa-8728-aa97626a452c" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\e6868771-654b-44fd-9853-7cbdd9174f47.xml" RLTitle="Default Certificate Templates">
		<Attr Name="assetid" Value="e6868771-654b-44fd-9853-7cbdd9174f47" />
		<Keyword Index="AssetId" Term="e6868771-654b-44fd-9853-7cbdd9174f47" />
		<Keyword Index="AssetId" Term="e6868771-654b-44fd-9853-7cbdd9174f471033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="e6868771-654b-44fd-9853-7cbdd9174f47" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\f6d90c10-d921-4f70-8a02-f3e525efa7b3.xml" RLTitle="Remove a Certificate Template from a Certification Authority">
		<Attr Name="assetid" Value="f6d90c10-d921-4f70-8a02-f3e525efa7b3" />
		<Keyword Index="AssetId" Term="f6d90c10-d921-4f70-8a02-f3e525efa7b3" />
		<Keyword Index="AssetId" Term="f6d90c10-d921-4f70-8a02-f3e525efa7b31033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="f6d90c10-d921-4f70-8a02-f3e525efa7b3" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
	<Vtopic Url="assets\fabc1c44-f2a2-43e1-b52e-9b12a1f19a33.xml" RLTitle="Managing Certificate Templates">
		<Attr Name="assetid" Value="fabc1c44-f2a2-43e1-b52e-9b12a1f19a33" />
		<Keyword Index="AssetId" Term="fabc1c44-f2a2-43e1-b52e-9b12a1f19a33" />
		<Keyword Index="AssetId" Term="fabc1c44-f2a2-43e1-b52e-9b12a1f19a331033" />
		<Attr Name="appliesToProduct" Value="Windows Server 2008 R2" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHDATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISENOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDNOHVSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHSTANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="LHWEBSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2DATACENTERSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISEIA64SERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2ENTERPRISESERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2STANDARDSERVER" />
		<Attr Name="APPLIESTOPRODUCTSPECIFIC" Value="WS08R2WEBSERVER" />
		<Attr Name="appliesToSite" Value="BWCOnly" />
		<Attr Name="CommunityContent" Value="1" />
		<Attr Name="WillHaveMamlFeed" Value="True" />
		<Attr Name="zzpub_assetBug" Value="1754" />
		<Attr Name="zzpub_MtpsProductFamily" Value="WS" />
		<Attr Name="zzpub_MTPSVersion" Value="11" />
		<Attr Name="Locale" Value="kbEnglish" />
		<Attr Name="AssetID" Value="fabc1c44-f2a2-43e1-b52e-9b12a1f19a33" />
		<Attr Name="TopicType" Value="kbArticle" />
	</Vtopic>
</VTopicSet><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpTOC>
<HelpTOC xmlns="http://schemas.microsoft.com/help/toc/2004/11" DTDVersion="1.0" Id="certtmpl_TOC" FileVersion="" LangId="1033" ParentNodeIcon="Book" PluginStyle="Hierarchical">
	<HelpTOCNode Url="mshelp://windows/?tocid=cf13b506-fc6f-45df-b70a-6bc7e8859953" Title="">
		<HelpTOCNode Url="mshelp://windows/?id=625a2bc3-73c5-4084-b78d-c37ac00f96ae" Title="Certificate Templates">
			<HelpTOCNode Url="mshelp://windows/?id=85e1436e-4c52-489a-93a2-6603f1abadf7" Title="Certificate Template Concepts">
				<HelpTOCNode Url="mshelp://windows/?id=e6868771-654b-44fd-9853-7cbdd9174f47" Title="Default Certificate Templates" />
				<HelpTOCNode Url="mshelp://windows/?id=3b98ae7b-24be-4c8a-9aa5-a2c6f8d999ed" Title="Certificate Template Versions" />
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=fabc1c44-f2a2-43e1-b52e-9b12a1f19a33" Title="Managing Certificate Templates">
				<HelpTOCNode Url="mshelp://windows/?id=c3077a44-da11-4b06-a2dc-599c7251f6e3" Title="Install the Certificate Templates Snap-In" />
				<HelpTOCNode Url="mshelp://windows/?id=831d299b-4f8f-4d9c-9d43-15c6b6cc93ea" Title="Connect to a Writable Domain Controller" />
				<HelpTOCNode Url="mshelp://windows/?id=39b97b49-7fea-4d13-a031-749165f26783" Title="Upgrade Existing Templates" />
				<HelpTOCNode Url="mshelp://windows/?id=1b15e7e5-3a77-4817-9bcc-f327cd777716" Title="Create a New Certificate Template" />
				<HelpTOCNode Url="mshelp://windows/?id=bdcffb35-6560-4cf6-8cb8-8281910dabb4" Title="Delete a Certificate Template" />
				<HelpTOCNode Url="mshelp://windows/?id=6269c006-a8c8-409b-922b-3c3ba0e20bb7" Title="Rename a Certificate Template" />
				<HelpTOCNode Url="mshelp://windows/?id=a7b1fd5a-ffc0-4cf0-a315-e6ec4f597612" Title="Configuring a Certificate Template">
					<HelpTOCNode Url="mshelp://windows/?id=194c4281-a5bf-4be1-9e4e-61f7b500066e" Title="Certificate Template General Properties" />
					<HelpTOCNode Url="mshelp://windows/?id=646333b2-67c9-4e22-8cbc-be44a5e4bcc5" Title="Certificate Template Extensions">
						<HelpTOCNode Url="mshelp://windows/?id=0acbd7fe-62b1-4aba-9cef-351e56075434" Title="Issuance Requirements" />
						<HelpTOCNode Url="mshelp://windows/?id=b493c46c-97d8-4dac-9144-33648f3499cb" Title="Application Policy" />
						<HelpTOCNode Url="mshelp://windows/?id=534a3eb2-05ea-470e-a4af-047927eabe14" Title="Key Usage" />
						<HelpTOCNode Url="mshelp://windows/?id=acf8a000-d3c5-4a8d-bbbe-c1a258e0a03b" Title="Basic Constraints" />
						<HelpTOCNode Url="mshelp://windows/?id=3510bd12-b297-40ab-b1f8-af72de3531a9" Title="Make Issuance or Application Policy Critical" />
					</HelpTOCNode>
					<HelpTOCNode Url="mshelp://windows/?id=b0fcf6c9-bd3d-4e1e-bd94-8e306a6d2415" Title="Request Handling" />
					<HelpTOCNode Url="mshelp://windows/?id=0eb289d1-2df5-47d3-a2be-ba231daa9858" Title="Cryptography" />
					<HelpTOCNode Url="mshelp://windows/?id=08bab27e-830a-4153-bf33-271dce69f99b" Title="Supersede Templates" />
					<HelpTOCNode Url="mshelp://windows/?id=4a9be825-e97d-4b0c-8b7b-a1f74a816619" Title="Subject Names" />
					<HelpTOCNode Url="mshelp://windows/?id=1da52796-c5ad-439f-af38-9818e26fe356" Title="Certificate Template Server" />
				</HelpTOCNode>
				<HelpTOCNode Url="mshelp://windows/?id=5e47ee01-62f0-4033-8d21-c02b2bb32781" Title="Deploying Certificate Templates">
					<HelpTOCNode Url="mshelp://windows/?id=8a4b5b45-3723-4f22-a487-a52dd95d7a65" Title="Add a Certificate Template to a Certification Authority" />
					<HelpTOCNode Url="mshelp://windows/?id=f6d90c10-d921-4f70-8a02-f3e525efa7b3" Title="Remove a Certificate Template from a Certification Authority" />
				</HelpTOCNode>
				<HelpTOCNode Url="mshelp://windows/?id=1ddf06ed-615d-4e24-ba43-468fb0da6c13" Title="Issuing Certificates Based on Certificate Templates">
					<HelpTOCNode Url="mshelp://windows/?id=1134786d-baae-47e7-ab30-286e21b180d2" Title="Set Up Automatic Certificate Enrollment" />
					<HelpTOCNode Url="mshelp://windows/?id=0749af8d-c195-49b8-96f6-3a9a6568b520" Title="Allow Subjects to Request a Certificate Based on a Template" />
					<HelpTOCNode Url="mshelp://windows/?id=6d7cdf83-35a0-446a-aaaf-4f48dff43379" Title="Re-Enroll All Certificate Holders" />
					<HelpTOCNode Url="mshelp://windows/?id=9b9063e6-0cb3-40ce-9217-cfa19426c6b0" Title="Modify an Issuance Policy" />
					<HelpTOCNode Url="mshelp://windows/?id=96dd619c-78c6-4be5-930b-eef928720262" Title="Configure Certificate Publishing in Active Directory Domain Services" />
				</HelpTOCNode>
			</HelpTOCNode>
			<HelpTOCNode Url="mshelp://windows/?id=461a7e73-4910-4108-81c3-4a21a3c9a895" Title="Troubleshooting Certificate Templates" />
			<HelpTOCNode Url="mshelp://windows/?id=8c050288-46c9-4991-a6ab-df3ef8de0535" Title="Additional Resources for Certificate Templates" />
		</HelpTOCNode>
	</HelpTOCNode>
</HelpTOC><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="AssetId" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="BestBet" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="LinkTerm" /><?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE HelpIndex>
<HelpIndex DTDVersion="1.0" Name="SubjectTerm" /> yP!VU?;BT"U
AP.hIEFJIڡPHBwXݕ܁݋1`4;(.fVUXm@di&dCf%# D @+Gh7`{""}%+@&M⻲kޅ]ɫzl	!-û=K^3p~^W¸\)pߩmvmo۝}kȿvc
Ne	{y>J*s<wCM󗜵}6}HKəܷ=Mã}7CEǧ\Ntorm*{QɑXvnxHy߷oo-8m-."_wׄr=8ߛxۼ]Ct]?~Λa9=6gs鼚vy?
;E8{p6p4nJ?s5ؘs)r6'~M>X>Ŝ~SނU=W~ϸK4{m[8q#?eڧ|wQ!kKy"׼\ۋ.,ɵ8K8cx>\ɵ\C^L<~ͻomrcvg~&mA^z(zmRM|k9wާ=7ko^$)?{Wz+ٟ虾NMt)bNeo9qwǿсvw9}i_?l~zllzzlǎ/s_xoyؘd_;槺UoOPe7W}s}ws[nStkcysl _wj؟g=g;Z^E5vF؟[]َmmzG<V_ص?f=gtl`3cl+αFtӱ=g-xcqs|cM|c9vԓ=gu=eþ[N?{<1wow#>wut-yo=k}[}[IVҷo}k[?oַumַԩvl]u7:kmsܾ׽snmw;~n-w7}sn}ugksgn
;'w<VuoW875̭WrUM]Oο
j_#<RoK-
Kkbe_֍//׎uΏ//5אϑ//גГ/.j)__WS[U_Կu_W__c꾋]__j3j5__j7j9_/םzϗq]_j?_]_A_]_ln_Ծ6}v}R0.Lvڏy7ȗ1;xvM>vowxq}V>˷wLqmgSx_+y'{;b!~}Q>x!}lno<HLHeZ~b\+V댟s
gSJgOuwj
[
վ9㚆w<$g}?r3}s=ɳ)3:tuJ,N)3=:S=S:{JtJg{tg{JtVlOw錯N)9ҝ)y):cS:t|JtJ|t|Jt&Zyҝ))3>:#SJN|tguJN)yҝ)ҹ)ҝ!)9%)y:S3W>S:;t˧J|tb霚OμOΜܞOyҝ?)3>S:}JtfҝE)3N;tj<Oy:SJ.}tg}Jt>n:S3>S:wJ,OμOάy[)3;tv:S>S:3;tzyҝc)3>S:}Jt~ҝi)ҹS:<tۧJ,xOθys)3>:SJlxO)3N<t9ΒtY+q:o8x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^x^/ŋx/^r)/
㣡9>
;|44v|>
=hP8hI>
%Ϗah44|>
QGhT|48GG!ࣣh
C?!hX?Gҏ!h*K?!hl|4N?hF>
_GC!0~4
2ahh^>
g4ÚG~4
GÐ4|>
oGC4|>
sGPh|4c?ÞGѐ,|4f?h>
@àGh4}>
Fh4L*}>
LæGZ>a`00``00``00``00``00``00``00``0<`yψI~w	8so%8uW⧧7UqT6SNVYz-qDz)x9ٔ<lJzR8+or9ϝ6lqb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#Fb1F#Ĉ1b#F.$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$.111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111q1d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2dC!d2!CȐ2d~
߇ֹ돑[qNp.\…p\.¸p.\…p\pup\.¸p.\…p\.¸p.\y6\.7…p\.¸p8\o|puw¸p.\lθpW\]pZq¸p.\…p\.¸p.\…p\.Ԏ>&}ͱm>J}8>H}#>Vw={;8aﶽ#>w[?}}ôj<aG>x1#f@<#!3<;qD^iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii{N[VmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmn[G^"?44MMӧ=pM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44Mwjjګjjګjjڵrõ[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[ծ?:44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM4=Ms[7qu[…up.\qfUqmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[[mVmV[ջmkyM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM4߁8KӴ4MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44Mm44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MMӴ=[4MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM44MM4M4iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiӴ4Mmӏ;Ns}ը_zZ?׵p}'9" &]tLcۦ趒Lh+ffj/f8GWdƈ̽K|߫^p$ХxWN/s7˄"̊xna6̻+ j4Ԇ5ͮuq'g#.If*-T
oM!n겺]M"
RB*I"*߇w]nSj%DO$IHA
A!ő|Q
}ė-g9?֊f{Tyӄ/`w>X
#¾>UG_r{@|u%ow|}x!+oH5RPg%Ԗn.ƴWyp (1bC>='n%ݯOȟ!e;[o>-U+}>;%]m,\4k\
UnƋe	9{AB=0/>pɼ2#、M]WA  eѓEK<1C&tè
1||io(65qR&[WU.1w[TjrH^/N|2shs#	*\r"?`32P6!"<ȯҦC$?"R}*_6㺫Bo~v~شr-{ $ag7qzni&ެ*QjApOml@,2Sz򳤂&FE4RSw4j2VZ-yTF	WFNωdKtN0~.n/vM瞨r<z/;GΑ!`ش|d߷}H6+MH+&
JzO<
}^<I#l1jc;p;AGI=RTj,2@D<?q8GCɋyUҮ+BWNѿ-d=\faSl6wAg&k#npL,Gej.iuhNxwAL0
M3
T*&_(@c_L];4](F'DG 䭚˖!
CG-F䤈Tu.F[>l__V%ַ$*QusF:z'uέ8;Vןkv6®(j]a_yRSM|a/&$=m~5s͓M51Y*n
cuGEGAM)kmkJgs{[&q 9wonf@2f?;oݠhLmFuhbAp\NYl7fjcJl\5
PO#i/ϱڣ꾱ؠ41a;XO["ڹ,$ډqy}D]nW9{$[h?)fDz4k,X'
)*xoցu(=6MԊ<u"3*5Tm2lkHEKS̽LhnόLMwM9hݫ!)zo*n.X)z,#Tn<.ZR)k[^(1ppd|@0A1[Oml#a;w!-o\M.Hj:I;Tγ툗$Is~MJyҗ9ejWy*FC/ĖQ|=жKjtP+fvf`,qҊAP~5­!ayy7W$fX2w=F>Uwy]Uoi!>0Ɯ-Fs֚!!3W3j[AjHH[( N$Bb9"̷z-dQXzLlP,zC2ZQ//9ivo?"Wb7kGJ&gWQ.P2O@Y"w-8WoY
WX(ꣳJ/V%CڌӬF[{z#os_ɶ0Ѷh$!JdK(о/hykc+\srjSB$efLߋto3} P˃[)cR~0tsA+g8Ax>8Url<^hRb.Y߻|qu'օguf93<C$܋NicHmܡfz{`pp`̆#ݻ5s1@/V`4<5;~ߕV~T-YGfƀD(dna*hEzz
,H),-u;ՈB
yk{2ck-%6[$bUJk	aT>ڻq$p
v#rDE˟nw̚ͅ嫙;WjZjq(+?Fn7rQ{z][g$c<ݷ[
B$zXav'Tq?΅Hc(Xob,B-rv+fcWFre6̑+[؍Ǵ&7!Y@Ff vC %2],9ueJ-@0l2RWr	ʉC€SKh95Uo\+K/x$BMWjǕ<|$~ܙ#:j-8Zb
)uDFf@SϿ.X=OQG7yJLbߞ0xFZ|!%5t/f{>dڛoŚ+u-uؾXK/BA/F&hklSQP\'nC@#ʞ]
nWqn27>ѕ3hL:_{b[@R]U9S^}̍VZoOP}_ұԗVILp_=Um&`&;ʂF<(,;IA¢L沼sxCs1E-NE\Ɋfꚕ*iPw̪vjr)u;m/Z
2kC#"QX/ppom=ci3di4c͕\fS_0S̸x63awW|v^|4)2@uyF1噶%s1a$+Q9*RRWpUwY&SG{mRpŒk|$j$;$)ed$f#wDÐv&;Q{QQܰo
׳j\Gb2و"Et
?mV)C4N슏Ї>fV?HAkJHC0qؾjw%sXn<ҫEx"	Z]ǖEQ	C+F,;MՇD}DbQТ=뤴U
#)
)+'bQXѪHM$!g$m9͌@
{P}	\t§Fw0v'ZY`^ayΓdC9QDĿWBlkǒZ`d5G"d[%s3<=O`̃Rǧ*ߣc쟁כW_uTͲ"P@10	&)b:-B&DbAVu=C&!fB?[@*-/2sf*ASRv%wty\z<Bkm;_YIrlX<爳}	
PWȇ@*]/A82(=د\(#ܼ3\(I{p]͓Tm쳻K-G9q@]Jyڼ"ܟ9ڔ6~,U)V(S
?*VZHT^.k;jM~x
3mAVed#tEqI3,~N!LE"A]髯	mXd~fX8/BcLleyrGz	9WvlfkttPڦ>Lo	Gô09̹Bs}wIdX*v׷dP!j(}<ZKvqgJgsjɢL?l~ BLRxG&ghKnbJVyĊ*Et	򪾐tY[ZXac+(y$⟳g>I|-/ gSt9K8@}X!=ϜOTPȨ	09[h9i(is]1 oe,!6v/Ń.ƇiXJ]m;LR
@k:bWMȈx--1R:c	wjkQvx5T7heS\h«f<q4LO-DexJNA/43M\}Qt!i2`41y(*Cd'Z(h"
W܊GӰS+hdy
8|%'U׮
te$2>*9h_=j7؀
5oEaT2<7(/>97н>>,mXIxRy~4-8sKf,OoSv24:M8s.$$鼪 !̐P_4MݜĦ-T`I]1V_9mk^~@LaeUGcpV]ոWԱn#QI1֭R/a%BǜS=C8	=Go,[Hu$߶9ܩ#1~!6O`ᡂіU'#7lVljrP-ܵ1he>=3!?9]l7mySܣCͬ6>]f7yb"W,nr6
$M2qB]g+_Zx.N7N[v&eD&A8$,ܫPJwloe'm@-Xw(N7YjJUchuol
#bh.nnx#qiWUvVbYa@[M8aW؋۫C#`]%DLqEެlp{`]<23O2wm`5[e<XAAcjc5\hTE2z\qHfF*BcɣSv)|:h:7}18]B{OA1Cu@eѴX3|ht#nKT,&MNkCS&Y
Fsĵ}~BW1-92>ׄ+Frb[ˉP}:B$S!7v!5g['1!J"S=:J
]Ƚ.'琧=CEl/u=|FZ	^֙rrv~1b[+[cvх18!_7߂07?ZS;	;'[EA|mUA[XI2;&)^Xւ$t\5CX$X';ntS~Fi6EQ|A9;}U'5k쨔!:iϝ[CpiRgzI!Vn9iF658ږe"S)V1SO"̓FBHWs	ǐbQA
<8t<"W41#?l
6^ *0^ W11Vo4pϒ`7lcm6cml6lcm6cml7{Lz45jl(bw.{%SEDaUxm	D߽q͘
y=0aA<شX5WB.(/eYѹ9aԺ=SH~ÝElԃKaVdui*!xivgmt@%%}xGMJ]]{V(z;o^;:ͲЉMKa<58HLۄYUmʐЩMkGNmҿ,I@%|0յ޸IAMoR$mMGIw)n
ni:4-º@7gGHg赠w3&&=mڀCAܘs%'366Vb;[ktHl]YqLjQr6gN(&U_Xg72%-K=O@P9҈,ˁaȑM'EBOm]-
}}odˎ(4M+*:DcamjDP-<n#T>=)1Ǣ	[Usl fD̍$,]`Whdpaq/p_#:VGMzwG<WݼzZVu^rxJ@OVów@V4<4gFY
xakѢX/jSobGщ܊liGBw
1p<2jWІ~0܉v}G?Gۯ<x.=&2~{Pn88v:Z"We]<+*\F'TжeKGfIE^vmHiyB%-Ύ=AEH%J'gɥ5T]LpbdwU9+IRf39ު#7X@>&N-w"eE$l̈ڛ%(3G_P
YtǛI12'HC-&ޏ?4,60\
Aݯ(UI|]>{Q|Q-ɔzH/u'6K(*)VʤkVv|xtu#qUd
5kGŕq@_szF=tu('#TI{T,mv:Өn̺qWZ?
1d
Ø!b^C3N[[RCgVEdS]4b2|QߒM/1(Nly.G?(wPzej7]sb23踃KluLdǻ/hL4s
6V&#͢r&Bޖc%?
)WOL_> ײbSϧP>c_E*Q"{VrA
»ks$Ck/7n0td#fD^ƦJʛ8SS5F!Ա8V0ڡ@<ةecԡ@:{^]j,Z\D^~||4\+<z.9wK(צ:bM!s݇҅v,A ,Z[2eQ[ ?&ZZhZv˙
75+uaǙq͚Pzvi,x.jz$1	W?aU4'vbz-e_:#!7)Px3x/aan$H㺻?,|.N2歃4ȆƌF/oEN!quH8CG]"J?=B5/ܿJ#oZMۭ,[~ݫ'$UY	tD(U$݌T0lzw⩪zaT>B=Mp^k@s=uB_to,xZ21 Sgi݉Vg#^1QSIԉ2;)Zʰix@\Jzd1;E5˲WV|&T޹()#BMurgs;;ly^
;3sqʷ,F6=u0XË1lsl޵2_wvF^6%)2@)qdz]h}/1f&(s}@\!}yVCԔ7k&Oodhj=9+*4ډukmW`"]# gVyPTE=W9ח~b5,҆v!LhhW_\{(~In|
Oz%ѲO*>uju߯P>ӊ)&l
eI](vol`Kx {Z!,9ލ /XT<ldZqKk4
b	582H,Q␚Qqb7'd|]ABVG=!+(c6qgmYqX=.WZ
M$mT!_tt⭺9/8Ԝ*NXvV~O\9Ob@aPVEdgm-`䟦u)n3GjI9s4FLdqHƂDX
܁F\fٖ2ḃ;d?;-vV}BBW~ƸHKEeE`N0˒Ӡv
LUNg	2Ǐ_͉#YP;ᙍw#BvV(ߨ;f oCm?RQ`.珥u
HGQUIBy|ߺ"(lQc>cłV	tevaJ޼Xzký\PtvxBOA!~:G-L\
.%{ġ@O0iMs
!f?oJ_k%U|rb+AId+Zv,^a Gn:*|0w0;)E4׊ C14;:_mSQlkrU\P#Fc'	rqJI.¡[]s[vH%u@<F~BҝBhlj6k:)ielg{X@[^`2YTbO!ծD[#<œ;~= ѯ{ڹf{xxFh-BžN?&JMHxeCNVe/*͑v#k{ LVh-N6,T	*dwcnZu6D$Ȁp8#ݺ[&%wN@yu-B3q֏3T
cm"CgO@xc)Ww.ۡY)դ^Uv0^bJ13rKW3YrDZ`Y5o;l2YrOG&UaH<S$
LOlR06&0V
IBuyy<+	1q쀈xZ}Y4{@odhw׻%'~Ŝ\mg=ukM*	X7-Ms]ܼfV2$P_O-@
(,z_t>D>܌_1GiG}J	`[ti,
Pw|1';**b[fr9sò+f^8a.6YB컩`V*lCG'*F
("M<N@m,ά/x7KUDL̤9f#O:ÝX
-X
[,ag^	owK7͚mRnݚ>xEGOĩ`Yq~_	wFBrYKYPp}6˯}OA)&L,0{@lNb6{\M03"45U49=a
Wb#'R
c1-
nX3vtmW*JaJRoErt9l,I#iYF1_G؇iG'b."C%Lp%-ߙ{-@=@|Fnp #`<6L1VZ2"(6TaRI\6)ZDupYhwU+bB#9m;x %`
|
0pAu;W2W5Y;!Q
DږuFi6L58Kȸ\*µ0K$@nϘ۞|Fע搗ݍܾWfeUG/4@ O.Tj%?D	^8}h
qt<HL-f{ȃ‹U&L5^ϥsױ0
eYW"d>ν̳}܊+Jj|Uo5̧ȤaPh@D1<8/#A5u
~UCͱS*n
1HNnQgk5f:q6GF`z{PҤ\|K3q 18r	xrt-1ݞYK!,W/~IQ_m|Z2ñ@-q
k<ZuG'	6.z"0^HVk>s+U<|yM-%ҖƖª#UVטɔt8A^䡺d¡i8v?Y%>y\nl
m8b
tfLMug/',Ztyg͉\T={f4ϱiGl2xۥ';Qr#E3䙇35DnKdY"s{egϣe*\.B*qfM)\w-i1ةr^$jf1.l靕ц38%hm0RFc|$=bL(łbk#hrH?Z5jOT{CWNٍj&YC6W2`WlBgGе1._U6[w2RSᾰx/gnq R*O^ޞW.HJPEo⯙(_F7hXrIN_\*q#ff^뜣4
gKӦx@١BXrkF% &QC}
[G_)
(<]t+9wGsXGc{<ň$ӻ+ Fx-lJi٥UhK'tsdgONtтE˴W<iO#wr@؝ܨMt9S-3ti+
La6%	hh@;dJ70A_Ww<0[@pli@kMIJWxoW7ꭴ9w`/kPL,,8qM\*`4Jz؉?~jZxU˖(![9J&B9AfsS`W$84۠8h`4i1V5{Z&vwxxsy]F}ͮ#dzN{1(#Pgٷ
Ɠ
&͍<J!C%ϾjghJiA5upؐWhPnxU rg+;-GwKѷ"l:wdb<-NHId`*I'tD(g~@N\OXVcﴊG{3	/ğSΦ~2,6CS1v*.܅ّ]~qJ_vg>FoS[ډ$i"Aa}<"5kscƱy	*
 vвQhxq{y}-X,#SAFvThQI	cL;XlհC#xr/\gLLM>|Nzgۜ+u3b4l`DuO
^#$E#m=ۓqIQ)	A`kMaR!BE+;V1X.؆Ys8jl\?-^GWzO!c*3;{zȲim̵DY~jƒ<X>#h8֬h٭O|Gl_P#qMX|#-Oj	&dc}}vov.G#l[}Db+;/hJ`Tg׬{G'e9J,|cCa <p-0Pv)TilMZa_G9tFrFOd%*"{"]c1;k+0xKSbNh6~2ǝ$S]Pv.ZҀ&^=_%,(%dߘ3oVhH0vK:A-FK-)O/!s36bVXGlw}"/+eYt^D92wjav5,=;`כD,OG#&|l60І4l"~@1kG3to҉E`
0.e<l:'ݥx=:
|FH{ۍ\9bvC
{	Y&=eUB.Vm4!_Q&8_12,Jxe-zlMEzJLEFldUT*Dܠ4'
iRt}PXŅЎ@t[i?Suo$'&[I(>S\Ww.`L֑.27'-uF1*T(BCj(VW̥<{fnfs>{)lYdn*pP">\aK8$&mz0$@i6JlPTuN|86~&oHA\fǠ,w\UkZn
Jg1;W7XU^ei8n
\
<\n#N vSё5:}l'	|`#;I_d~b[R-x-b?jb荹GI_D-?k-q&s)gO"kOX)zff+NJ^>߹xĵc	6CY\z[\^6^]G7NqK8Aqe:?9<nΔDz֣[nG`ʮNʌEg)|Uxm]k38bٮ*0OȚ{7!_؊zQ5UmKR2&)[aLf-zAg:k_xR䁀_s8lKȁZd4<Xe$Re׏NLE4PrMD]&]&)fϡ,n$RRsbl2?WّQ6ҝeɴS871WT}\U=Qw@+(VM?G8qA8ۿ\^q-5bK)8yw‡hc`V(PWscilö8wh{ZsNڏ7Z{1bYG+8٥sYS怘	Z`]0T(1ҥ'&&4G(h^vzpNE2C4bS	Mc>,cʗLFu=NZiW!F3j-w]}3rW96cQ;F!
{944lhg2N>ObxIMoSDcXQ(qى|M>zǨA	l۬#|ƭZrmdX^uzhrֺexL+Zd'ǁk?QWPuƹ()`4cBF [fm
`vo(Y6G3/H+R:7I?=F9c4t	znTNH<*R[gU#E~!2OAT"heZ+˗q;e2}Аxl1_?§V;2[~2y}mVS/UԾ•?`詔R$o4XZQ̰-P`0FP{3_c9ZPykwMG
=&vjHsFA[z N&Y`?(P(@Dwrd:%sJO؃'V]o2O²>w"NМluO;YyK\{<m7X|%]QtjOEܢ-,.8'x*j|ao
[jS.Z&	
4Tm	\],[kL1fEeER"aex|TUl)i)-?i2x1,n@^?Ɏ
 2Xa C|89\*PPQ]7<Ҧw	|>>*NѶTYC)~'(>BkSۗT>j`7ό*|P4loy*u	Ev
劘B'q:Gm@rRZ2gy~TJ5ϫKJW!Ӓra[q~t/%;)_gyj;v7.RR	j
+HMnM3Xa=yo)C؟Sg¸y?^*>`l{7=G	 [u䟆 )ӕ_*ws^
kW)%7Ē+ٟLeP0ۅ|VԞK-]=E[a?0jC|huTl9,%I<;ҏCÖ(	Z)\O]7,Jgn+GE
s{R.-?8!eTpg2¸t+n_h]tx@1䓳_47ѯSPL#Yn]YrQ4L;z?ܝJwC)wD,;7ߛխ7jeJSٶHC);5E Ւ;(Q"h2^:#F_nT,EojfJ<-; ĸ}:
RNniW'#OւͰ6'8/!eȁ6#P';2|(*wS&}Ri=V{Zp<IhbesQe5Ū!
n[U-;	-d.|;dIz̦ls¸+,'Xb1ezŅss6ݼD_uEkfvH "@qƠMHzfwŤ&ħ)*lJG_)"Z3wVlKHUo],"۶
\IJ7[»fv*ۨ
]77Cz8̟gy,	sO`NSXH'kduΤ83M&^\f:rW%`W^#1Rr|kUũI9
*I&B]rtQzdh?=粞ۃNhDž饜/˺F<nx#㒨9[-<r')p \D5?Ewѓus;k6
L*ܢE^\[A0UѭQ7`9k'HBkipQaYs'uey)LΐbolC
</;Er/{UswJe1
n<a~TB^U"?{t*΃ɝ<}~C"V<0jjH'
J,p`aЍz!7VÊR<t]%/SgVf&EKv)Hc+C/)R2@cКlG"ŃnяSoc<PYd4ьŵaw<Yq{큏k`wQb.{VB-.1֫<1Hq9cqbrQQc_c՘nx0}jt܈m:wJwKغgݐCUi"^ϙuý*rڑYrJlve-aU+݄V%V
]/x9ȡ@Wk .$oέ<=
yoS{wiVHiO(g!u[~3`brQjRty("L]ǛvvR**C `{|R)eI)[\U'*ZX=57]ષ\|m"NMLߏrOԢ'80"$/#$ESz]Fl|MLf4xwx\aO)O&".	JX<ﴛfA&=ز|<ZAwG2b-.pҕ"nBGbV8V0>㳦<Z0/(Z< yLt~e$Qǵ_7M'iȵ@{3cΠN=yd*ċ:ޛ1Q^1y%̼99%ßpz4!SzyAn\kk+ 8!/ob\C?}4	%"L\#5k%ȐkV,B׊)QY@Mxͤ+u!ٖ#hg&J=pt3֜m[̜޼D!g1wHzzF,z7Q+ꜗBsA[P=bwM?^	OP"$2
Ǐ	
q mPn"^!P1&>^zSBhkvP
h}Io#`ͽO8]ڥӃj`*3{ѶGӳ~*y:9_0#+-4WoӋٸ,
xib<IÎH۫H4`󉢍sqX]N=8`LՕ+(6sb
c]rjZWdp|Pg	]6X=g:d\9)	.--aTU:"^m[yeEy\Ƶԣ.0ہkyyw;F^"'%$r&Nma/(A0VPPJ7k\&=;R%ȯ:llj1%raehP[OTLy!x5mmxYNBz1X^m;/M3ؿ9J[rp4A/?UARlGzs4?<r>Ψ ӌi;;@FYAj-Nb"w.a|nq-
LgW%.2ćfgu&܀,o<%%Pml.0L#ԡml3؉cvC]:#_6
P̅{dl\/Y+*h~b'<N\WuI2qqpޒچrM
?сĠ qqW,^u}f>%}hxj;ʐIg-@:CTX`96i81cc`B)B;b쫏C	;<rU36kU#h-Ӭ0gQ#IϫEKÆSo2߂{\H	TA<<?ׇHkgߥW&L}Oy)Zn17
2N5xI
ʭAa"/(Lyy(G.͠7!kd1g)HκKJzlws?}HW3\Y#&2[Y4`CXv.H_9b\Drc+5^EzվG^ɠ}eþ8q)#0y]uHsՍ_(]W3[Tw\#
xaG9Oҙ%w^{j5TZSܳAI
`	LCv߯sbC6:mպqh1m]\-{iIb$94@M3'
ۧk5uySM%մ8\J"󚪹8/w%$!"ۺ8n\#h^
z_1=ռL^W?21\L(QjvFOA?gO$i`ȐhFst'E#?{NkY$-v3tɕ 	]y*.9Y逸pM);b>W9qvYH@rWr=mxsn1S\d/$-zZӊqW#
]j9u%LZ0ԾdM]M|
:/_/]myR6QJGϣY*s;<CsBPPg34
.-XIǂ/$܈cSg3S|mw Pyfq|r]|e$B&MQCl>ϊr/ǿME[Me&&kSG`3_a]u}T )0=҄=x!/ΓQw5vl5?&WK}5CQV}ἄ\lgW5N^K*
6dbbc0ۗRbify(U*:U≓dD"3);R2$|y xxPU~'$Pn`~gVۢauCuO"FPm]q-6*$Z,:.
HtR7N.|.8Ӗ᭖7hM*N&z9/o,<~j'%AʛfPU2.Hj	Ffx#Id$&vkؗ;[AJKR+	ev>mԆOoϪDmX7̆gqؼ'~?I7\MUv:i(MN4ѣ@qoVM]P4]=r9
U=0j#/@V	nl%0T3ՊiSJ2buA7̘2U,
<Zo_V>IEMZ"љ'1u
mڸ"Vf֫AG}u}k+-{.,pxALxlv&׏~dq)=UXG2nׅR|&]|0ݹTH=8z_a6FUV.miiψ&kxsbແ/5Kb(ZK(Y-KܹIVAFXP%'%"t(u&̒EVlRa1Xo$%|y囿
KS[ƴ=F kdAk&ǿԏMns1qڍ5$	?<r|YK\w
)B>PS?|KC/O:U\ӕ/PR	I\'7MeV>ʁooam:r:/>OPT)Z+~mD?mxLe˚/qfc䤜y\|um(Җgҡ%b?Ԍb6:$&v"UBV7͗Yc8FrՅHk6c cVd&z\\t$dZKx
_+vq
~{=RB#r7\FobqC>WtxZ?Z;$f`,r5I4ץ"@2zrE_+_6RI;Yq8ٺ>䨛WǞnMHB fjve&'Ջ 
bdZj
U~L&>\
hJPđA׈VxS^6$~f"?.#Kv4%WMJ8@DhLԬ?Hg/M@nZ/\U
׆|O^՘ЈRq!W'sG;ttF&4
ˏ#M/\v6<3҂RGwNHl?>J^`t|n`oQf"Igx>)
<I,ɯ`((?j?Sp __tJ?O|ōzu9]O!w[+
y>#*|~+/U;2<ns͛@EEhIYQ}?*i*Q<{k1|grA%R5RHeQq<G/ ZY&cp$/I*$T"'s}
c|rUmc\4~$lS	:K:?̇nˀA_H4?MxMœ]:m[PpAPt2~pJOʼ6 .ƽAzY0.@7i8
Ayo$,!e"ckTh&U(e+d“*@򆞚A(Mzyt/­>Ɋmf!Y:Dg4kIJᔞ=\3po{-ĉ}zvGJYA:F]r=^[y6WP(}6~ GH`TI(ߣ؇&U;s_W=ZZgzl`~QS
"b6R*RœUj堐[ 9!Ry5wtbn|^%b{f~GLxyBQFq?Li	0{Qck-3N;59X*ܻw<6sq8S`)Sz#L5a:Bƕ>
&B;}VcgݗYwX<I2
ZwI0O	1!qņ'8gz˥1B{Fb"kf80$!rV恜4iVP'zGI$ԅh[`B	""sBW(
)PiW"Ç$T̪[T{{K#M;AŜhB,ۋ<6Nq7fABu#_ifo)w:U^Å^;ISaA<_c^
HuO#AvRh	+kMzAP˻Y稥oWDU(qzOtx5xĵyp.[tZ@jIRIaϐSGSo$qyQ**ף-ӯa4J4&Pb
hqzbaʥt]U	崝/WjdقʣM
K\0̬V[Aǣ¹i9z'%6ZsbӚ9n"ܐ#3XC
P(&Kqy8(\GJS
EvoMrsYf$v}w[ռu	bSCfޘZلGѐי)}cA'ܖL0f_dH#bghٙ5~mb&c՚M>`	5h~۱3	VXgȩ$

a\tDЕrԼ{IHGiܴ%9ົ}@MHچvjYah]9f\&a^+[	=Cvs~a<pdV݈brS":B4`AͼiIˁF0;rvX29ϛ1UW64UW8p<=@UcZڕ- cGԾNLŒNZm\BRwvLfjxfI=9ze)1#grLV*t2oO'JׂWVsJŴ
h${q#8F|vv>>y<iILlߠj
h2;B)'Kđ1=F}	ktWa5"U2z֥WoАQ$.dKPEAșлsp(GEK+8C\sE9
gܞ/T\Vc*geu؜0j@
#*5D8>ҕnp`ZijU
FkTQmvޡB2fy5,G#ہ)iܜx-xR$2dkUA79/J13r">DNi60g_wֆ]vyg8ye 盃 u$fU1R쥳^xgB{x&|{#)=bbVcA1=8J~Q{Nxh}@K-DtYz|k)t1rI?,wN"YE`&Cj8_U0)b:Z1@̔ qNXHP(X#Ze]&w?!V65(h\!":aOԿ"MRe']+w+z[G0a	Uȉ/*
~|[r&M?a2լ~-.#c@B;k
7.>7N`,P7@
syZͯqyJ/'SvGHmVtRŌbw'sB:b%&bb-Wostc>@INԅL)*&a4MCy`<|(@Yqxc(ӑ=>nraѦQlTIMm$vC#:z2ŵmE
\RPv7^{92=aౠjda[!cz6]ֲ.\J%!#Nce(hwl֬LLXQ$;PEUZ&-Zc9";m[|㛒kT6'*)i+IϨ.rn	-ϝ-df;Jۄnd>Rs@Q#{zĀ^WRNKy}*%UYU"bd9eصHzSa)gef$=^œ~$K7I
5Ng.o:9g*d9YHq/jBHlҼo*%t|N!3O";>3V!
dI.UAÉe*~ڼ\ZHղ	<=h߾2?*I10!5U1u֯+,Ӥ4<'\FG(e"	Bѹe#'\MӜ;$0o8G;cVR8M6ӞQ~ѝ :[|- D;diM"l~j@$L]VطK4ѸCrt&,ܥ
IjEa̽PNvp|l fB%=I8J6Dr{sp`ԗЫ7e΢g2̛y6	x_,v7F29YM$?훒=NkG6Gaİφ|&c),3
qU_ҙr:]bP{62+JWmSt\x7FQh'YLLosN̈lεGٜF:flr#16FEdY+YBJ9j6ča@

?<=A
^


AhΗNu5X>xB/OLNB'a魌u*Jswv~H]I;;6#+gtHޗjB:PT"[\S|H,I>IO,O8e}ڌSTH7Ie16{ڞk(ӿ|YDBmQdu(r;P<mupi7zt%DSΎeަnnU|>FKo'M^<x~̧{?iG:G!W)c-Z5a5AQ	*b{M	oMꐛk>.6a~>žd_2xer(c} ū{X鸦n|,q'aR^Y:и_U@)!]:	<=X5h*,ִSVGl{^2vM'].
ڽHqQӎL\Cnh7bjsbJ.Th&z(J>=Ԯ`)Sfe)@|Tq%(n/])e.bOmxmPI\mxm6cml6lcm6cml79H89[l.]+5@kkS
;2C-oV/>9+ZehZ[Rh_&:iְnp8;opwAFjĔs+{NTp@lBU#E2̤oD+jj`4S٥5qxC/^5	tt6-f֬IF$$֜'E4`|}sc
QoF,G``{tqrSrNYW:*r
J|"lZGC!hUSځQ DmNP(>\Z'XELHHUf3VJ|U2JeF-u={1Cnse\!ܞn\A[[Er	)ɛR`(7I[Vb۸"wl'`1=OE0l+e-]RJoDt(bvJzE:(h=CЪsmfV:<ؕ|1	bX+,kw2XFb3Ka9]ZʳlDYA4iyq|QnOAV,!5wѹOV
'2[lM<"Jpy8QTZX/k.RV|ȐQVݭpJל	qX.(ڲ]p<_|\S)6Lȳ2iu&,cdo
y]3aݦF=#ipYc̺]rꥲnBy:NG
 `&jnd	z"5*@IDbDgxRP*+],]׈lYt_kaH ]\s戧;vv"nUg	b,\dI
Aօ9YMڂaXOV$rxGgV?QtI}8MDŏM.ʶ)hUMK+t
\!+eDcSt!ZqUOڂ]lT1lW&nQ{.B>:$p9B5i;vܹo#ar
pON>+,]ޮc6?(O4;GfҬ3N›ZhTf-tPΐرG]\;WCPث†+s^85#LhqȖUH
yZ!@O'w3Z+#vJ*skR%r+e6UX[ߌQ1[C$^-ԟְ~^i篋!qy"z"9si4/5K6mWHB=,+RB .
}w]['ՊYnv4{OY^l'%P|hBO`}ř[WH҈7Bθ4>)LQrVU2n^[LQ	YV4h!=LD]%*/gϔ( $Y0J[Jh	KŁ#Ab:iDÐ8a"lPHM/qIJ*[6>/o!8,fFvhBj!x;
AcWݱ^ux;2:?\4txYRJZm`08TR׀"j)ACZ1TA܌xiG{E/TOiR
jHT$iLu餄8B-~pthYݱR}hx#AiNAIX^mSfVqX3FL<qX:pPQ-S66{\`M?gϥOtk,"a{Y%2S)Akov9su*ٴ'qZ6
Bt#**jGwJcEڥ\1!?~{cq&Z1^Aj'=87#FyVfxP=Zcu!2ŷJ:)	ND_ .~koknܫksomf#"bTsa]8L?:!wFmNX6s߅u^_˿bzj<	kcoHۋ56չrg1b	+]'}k,Kko3Ř{Ҁk?/9q<Pk:Q6,V߅u^g˿{Αv\(]%c4UHo̿ǿZ>>(p|.덚o6<:_TP*V d]k?"i߯WXoJSOwSN75/NMFn}>U=0sBƬ>>TMn%a
t{Bk~܇}9vèguc99~r֕zLW=a]FV2Um4AZd}G&Pm2{skkԵgKio˱B%!?-8\]x;,fы--vv	Dvu;:~ֺ'z݃}H$>n6Wq__T
Hz81RMA{Huډ |>ލ_D)ڪ>g{h=-=mPjM6ѐr75eC|B'yzr϶5Դ۩@֍6r1RϽen҅pZZϚ}-~]ϣُc]~O[C٦lKBV3Ȩ#g"?mzx6!xHd}P2ѱ
{u_Tm'2o;+cCP"
P7ѳj&|bg2k{5*w}x,Ʊڨ3ONg;~n#VSw"wn+eK|eTymy>g
"wg6+@r;o6LwwVFkjˮ@Do 7@|j5n6vgt!6DGm6>>й6n-+̑mݯtj[?
۽F_hK3ʞ'd_l`oHGvKBj3i>k޷IAk=A}öhڨujܘXŚZo|WU[siƿ2}oԗuM-L{~dfwSGA	|8[	WDhweTy-M9η5[Y*mjl?[kGGmFEg$91-Fq{Y$G̈́DGVʙVtoitY<1Q!μ3L77M۶SF)Qw&vߙuf1Lh1[+^~9=#p>4=.x{Vk;pe~\o~TbMU?HZ2ho]{| $7L{eU=ɵ׾>޳SLdk/;K#eVL~,z"e4ie[=OxLq%Ug?nr:pq1Wə~>۬g2{f{d<omAx~oovAd卹gni]d[CɌl<s7jƺ.fe^d>]Ήr+̀OS#&Wh!MȌyo7Q mBY|ܒ"\WNF5/_&eh5EmRj9Am_ЛQkѾkٖgo4SWHG?2G%'h߽6ߨǟŧԮlJ#FohԜ?SWJD߇0!=E~}QeW;?w{`h]	ym{QW[-:(b㳕ш c/h_<9¤{
V-=Jւu{im7P%߆3_%ZG3g2A=f.X]W=@k;1X1E51y+d-㺀>w1,eî}YYno512|[}O-oWmwC,B+=x[KjAtoR(Չ!|jFiT Emοt@)=ʲU@CFn/
bcPo 78~@JP
 j˟z_t퍹h3~4MS2=AO!u/+aT~t6*Zț6WL4ʞ'V*tNUJi{;:+R'zj@w@,*!Q+/$i(op67unNV6~}%L*%ݒ
W(
2hݩ<c	hPrn΅,Vth)V_G%FQ3RJУTJeh)]q襲3R3tȥr
W4L)Ir
M,$D2l=ˈ(:YX⡣\F}L<utٹ$T[R	ZCr(Jߓ1gz] ӕJ,BtAiÖJ_׮|T8uogŕ;74Զ)Fy4iAj~.5}Mm{O>I>Vcm{P YTd35"orՑLE˕m{ٮ)ZA	mr޶Q6aXKI%I^'#)%%NqNY:RYzmezaǑwzvHbYM`!h\*[JovrMJ7H;7i,[=y]5psiMdYnL
	}@fHͻ,ؖD&3I&sR.2Is{{ݽEp(*"(#	~&/?/}`m7'V&fNMΚ`5kׄo&M.DdIs	hn ;iO	CÒӬV՜h'	{BnXMƃ3usXlOtնۀ{i,~WWRЖ9	n;ANx	s			<Ť6ЄD"a$sb4%`:MS%Zh4uR$?EǬ>NfE1(+9YeƑO,v
=Fn䗰JRl6Q(KDR-OsJչk'|,?ܡ]HRRqt(Y:SP|"B\13oJUT9n`U{LʟL.wv@ZlE5B9K"Y'?3<<v%T\0<CaT!CCQU,T7A"A1ǜzjVBJN,CO3ԏ&#E'wjqRGrOrj;fnءQ_`~cS7ꭐ
Y"Ԭ;uu]\tք[2\0q w-;N,YUuGka׵L.jN,ct'!0fhLM}A=DxlYrҒFQ9PBʼn~܄STk9,WR#Qx#]r˦I6;nt˄%\}qr,\7eOY}T8BXkNE0%՟eY%NC;#AǝO+t3IIgViRҺM:*T[ȱ9؜7FU8lCsb^M%>tڇra.BQjti?DpzmYilQe6/&Lz9JM0Е:o~m(p=r%|O|]uE ȗ+d$0"Lq,"˸7Po*faf=Me/K]ґ)'ir61qQ;&jWkxȱyE`lC{Rkjtp1TjL̩utIpXt^lG*u"&F-K"`No4FM89L
90tM5G`OuGbOO!EFwƢݦ dT)JP>֑ٔP>덉AS>LHC,NP<hyasq-(l0}
Ix!-l&6ywj͑) 5sa('裴imÒDwH\_SQ~h0uIԙMle&-xƚdoZyg]Jg&'4z)c*H$t_!-݋U^s
^2]YgV>.<p#kTzę)X.GuRR9ϚQ
LriP!׍>A>8SS`l("-V#GN4'_@
B7g|JBGnٗ4SFPպMP>A\p1ȪQڝq}.lq%7rX:PUMʠbC-z)W5BgZkR
\4
\87r\P7rXvo(E&7rY[0jѪ,u]b
to(Eb
PUMʆcP,93rHCzcrjM
SrZTSPUjv7բrzCW-)bPUj
"O1ջ%7բr&ՔA17rզk*CzL5wWVl=̣t=npx~''$ȢLl,q&X@!yGk=0~Y\zVzK2
WۜVxK<?||=˒CtD)	WQP(b'd++dDw9Go_)u7%js |5@FCR-gK.2GQ	}П^e"^מ	ZĢ{H-5/Zu6*:O${	7Q
cXB)ewٷ`T`c8fN蕽4ח!?bNAFO{VfX.i#fتyanU;=ֿ2~G>hd-YPAh4a@ZYd,vv:xy.tz.i*F^)膢?)ZikoχU6HcJ?^Yc2iY#Ŕq
}<wcSb#	*:ꔢ2e!Z~^]/}d<[A%ePebJ֚WMAD^ufYK|iR_wNAK1g?$sG-x{Ww	ޠ/02D5ω_Tdw	(LDOQ$^L4NuM~|C2zu,gʤ&	NpDN0
8XAKdW&X]\kOgr~f04Q7Hgz~!Y6KvѦ&}ӹ3_Os;%>|ZniMRzpֳoLtiF4#aM%;ͣgfzХWsNO}h҂=i*#<o"c|ƽ]֤|7;2dxُ=L7KjS/uLYz}r:Ej;EQ	bTpҏ7ἰԭѠ
(1\%Lo	;<bKVu"cI٣\7n>glE&^.z]3@/еMeM"ی?h:33=IcVό]CZV}'+Wj`]<??El5jxfoU<`xNNQ-Eg3͕o瑓ZyU|-c@,t}B':!KYP(#_S&s-xJ;_-ǀ>Ԕ[
yN}}I`R22̒YRI7]]·9f1ZDx
ۍR/2\K.- i|rb*"yRUSzzj1L䭱o2;ZY3OZcZ-cSkZc\ܭepj,S=-
GֱZFZԦ21 -}5QYQYQYQtb7*`\R
o("F07k62hnMq/nrYUH.du~=b$?k.\N@[^aG5t
jFj%|adJXlqnu*W6@kiusmx9dh!j
K.la2:x'=gh\C\XVQ,V F	%
r
%~K

v7hcjC5X{CpklFj&N-{}XeQ5E୦φl73U\qx5iu ndl.[Y*FM7eϠ4)!44TFB-+%~gR	ع;pK6+ VظmnzdR͕ 7W30A(ⷋ54BuJDJ̝FhEx[E
<p0|`I2.Jz2~jDJ
F~ .lanma6xcĚzh ci0J%:qH56
tɁ{R	-N
NV
q<d1is({%t#M/\bWƷ8w'q}cl¡<{;,I[ZluBb֏縍6Dv(uy
;\w%7z> |)ǽs\t_.ל.</G蕯8?/dnCGyQZzpԺ|9[	"7kʝ!O}lWH/Aτ@#^msڤo,0G7<2RFmRIp?Xܟn
~.߾#hV|ꓟk[oCÿx_pp#jܣO-uP"dͿWij^&	Cʅwds?~FryoVXj{T/~jY8m?oÜ6iK+i𖫉)6*?˿	sJ53~awE_"Iþ}GzpCZkE6#h6=|e9(5BV]%UXkD$db	)f%%lYkӡsPvz0+t)N~+#A)	b7/0d7zVɡ-k(!78U|].E-KL&tΗ{Đ_%{!@Kb'20PII,9ysEX{ϲabl[rФ$7ĵ/!s4c/x$mr`;p,8MLZb,9=Fha$m,1cDοYz,G-(X[KQ;.!kōP4%ma!oa	b[cy엤m1 88!otG~3oDdةۢmNқܫ⭧tPc)ϩh\a;2J˧,`|=zV5n7hs!n.uſ[d͊XX㼓HY]{O<ސ\4оBjZ?C|bk˫ം
V֯f*}E~x\_PY;vNVuY_yf3#L(dCtYR-kcU/b3,d}G,xN:(Ut.m蠉wn}!U4cd[Ls}Қ$6QGoeRbI])x,"2t;,3
8(p,'^

Anon7 - 2022
AnonSec Team