In preparation for setting up a VPN solution that uses computer certificates I have setup a PKI. The enterprise CA is running Server 2008 R1. I used a GPO to configure Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings to automatically enroll domain computers with a computer certificate. This all appears to work however all of the certs are V3 and many of my workstations are running XP. Am I mistaken in understanding that these V3 certs are not going to work for these machines? They appear to be getting issued just fine but I haven’t setup the VPN yet to see how they actually function to authenticate the machine identity. What I also do not understand is that when I look at the certificate templates, the computer template appears to be V1 (it says minimum supported OS is Windows 2000) and yet all of the computer certs that are getting issued are V3. I created a duplicate of the computer template and modified it for V2 but I can’t see how to auto-enroll domain computers with it. In the GPO under Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings there are only a handful of certificates you can setup to auto-enroll and the template I created is not listed. So does anyone know, can I move forward with these V3 certs and still have machine identity validation work for older versions of the Windows OS? If not, how can I issue V2 certs to all of the machines in the environment? Just for additional information, I have also configured in the GPO Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Services – Client Auto-Enrollment to enabled with the ‘renew expired certificates, update pending certificates, and remove revoked certificates’ tickbox checked as well as the ‘update certificates that use certificate templates’ tickbox checked. Additionally I have installed the Server 2008 GPO extensions on all of the Windows XP machines although some of the Vista machines may not have it.

Hi, From what I am seeing, it would seem that V3 certificates are supported on Windows 2000 and later. The main distinction appears to be that Windows 2000 (without MS04-11) cannot handle delta CRLs: http://technet.microsoft.com/en-us/library/bb457027.aspx It would seem that the Windows 2000 Certificate Services can be used to issue V3 certs: http://technet.microsoft.com/en-us/library/bb727022.aspx If you finds that you really want to use V2 certificates, then you can probably disable autoenrollment on the V3 template and configure the V2 template to autoenroll: http://technet.microsoft.com/en-us/library/cc737874%28WS.10%29.aspx Hope this helps. -- Mike Burr

I see where I was confused now. It is the version of the certificate template that changed with the server version not the certificate version itself. Version 3 certificates are indeed available as far back as Server 2000. But the certificate templates were only version 1 templates with Server 2000, version 2 templates with Server 2003, and version 3 templates with Server 2008. I knew I had read something about that but I was thinking it was the certficate version itself and not simply the template which had me thinking that the older Windows operating systems would not recognize the certificates. So it looks like these default computer certificates will work just fine for what I want.