AD CS Integration: Create a Computer Certificate Template

​

About Creating a Computer Certificate Template

​

How It Works

​

Required Settings for the Certificate Template

• Template type: The template used should be based on the default Computer template.
• Cert authority: Windows Server 2016
• Certificate recipients: Windows 10/Windows Server 2016
• Subject name: Supply in the request
• Security:
  • Add the AD CS Connector Computer Object to the Groups or Users list.
  • The Computer Object should have Read and Enroll permissions.
  • Alternatively: a service account that has Read and Enroll can be used if desired.

​

Creating an AD CS Computer Certificate Template

1

Access the Certificate Authority

Log in to a Certificate Authority (CA) on your domain and launch the Start menu to search for the Certificate Authority snap-in.

2

Navigate to Certificate Templates

Once in the Certificate Authority snap-in, click Issuing CA. The name of the Issuing CA as it appears here in the snap-in will be needed when adding AD CS servers to the Iru Endpoint integration.

3

Open Certificate Templates Management

Right-click the Certificate Templates folder and click Manage.

4

Duplicate the Computer Template

In the Certificate Templates window, find the Computer template and right-click it. Then, click Duplicate Template.

5

Configure Template Name

In the Properties window, click the General tab and set the display name and template name to something like IruEndpointDevice. The template name will be needed when creating Library Items that contain AD CS certificate settings.

6

Set Compatibility Settings

Click the Compatibility tab and configure the following settings:

• For Certificate Authority, select Windows Server 2016 and click OK in the change dialog
• For Certificate Recipients, select Windows 10 / Windows Server 2016 and click OK in the change dialog

7

Configure Subject Name

Click the Subject Name tab and select the option to Supply in the request, then click OK in the warning dialog.

8

Configure Security Settings

Click the Security tab and under Groups or user names, click Add.

9

Select Object Types

In the Select Users, Computers, Service Accounts, or Groups window, click Object Types.

10

Enable Computer Objects

In the Object Types window, select Computers and click OK.

11

Add the AD CS Connector Computer

In the object names search field, enter the name of the Windows server that will be used to host the AD CS Connector. In the screenshot below, lab000001 is the computer name being used.

12

Configure Permissions

While still on the Security tab, select the computer object that was just added. Then, in the Permissions section, under Allow, make sure that Read and Enroll are selected.

13

Apply Security Settings

Click Apply and then OK to save the security configuration.

14

Issue the Certificate Template

Go back to the main Certificate Authority snap-in, right-click Certificate Templates again, and select New > Certificate Template to issue.

15

Select the New Template

Select the template you created (in our example, IruEndpointDevice) and click OK.

16

Verify Template Issuance

Confirm that the template is shown in the list of issued certificate templates.

​

Considerations

• Template Naming: Choose a descriptive name for your certificate template that clearly identifies its purpose
• Security Permissions: Ensure the AD CS Connector computer account has both Read and Enroll permissions
• Compatibility Settings: The Windows Server 2016 and Windows 10/Windows Server 2016 compatibility settings ensure proper certificate generation
• Template Issuance: The template must be issued through the Certificate Authority before it can be used by the AD CS Connector