Hello everyone. I have searched and searched, but found no real answear. I am to deploy certificate templates on non-domain-joined Windows CE terminals. built-in web enrollment works fine with the default template ClientAuth (Authenticated Session) I'm not sure if it has to be a v1 template? and I'm also confused that I only got domain admin account to enroll the certificate. The CE computer seems to look for the template name "ClientAuth" in the request. However I would like to change the validity period on the certificate to something like 10 years. But I'm not allowed to change a default template. It has to be named "ClientAuth" there for I cannot make a new one or duplicate the old one. (not sure about the version supported either) Can it be deleted? and restored if I need to? Can I name another template "ClientAuth" even if I have removed the original one? Seems stupid to remove a v1 template because I cannot create a new one. Please help ASAP.

Hi Joakim, Thanks for posting in Microsoft TechNet forums. Version 1 certificate templates cannot be modified or removed. We can duplicate User template to modify. For more information about Version 1 certificate templates, please refer to the following article: http://technet.microsoft.com/en-us/library/cc787165.aspx We can Right-click User template in Certificate Templates console. Choose Duplicate Template. For your reference: Modify a Certificate Template http://technet.microsoft.com/en-us/library/cc758546.aspx Regards Kevin

Thanks for your answer. I kind of hoped that I could remove the ClientAuth v1 template and make another one named ClientAuth. Has anyone a clue on how to change the request coming from the client - Windows CE computer? or do I really have to make manual request in the CA, exporting the pfx, run openssl to convert it and importing the cer along with the key file? and make this on every single computer???

I just found the answer myself. The settings and enroll request is stated in enroll.cfg. Unfortunately that file doesn't exist on our clients.

Hi Joakim, I'm glad to hear that the cause of the problem has been found. Thank you for sharing it with us. Have a nice day. Regards Kevin

Please give me a hint. Enroll.cfg doesn't exist on our windows CE .net (4.5) Clients. Could it be downloaded from somewhere Or can I create it myself? My basic problem is that I need to ask for another certificate template in the request. The default ClientAuth template only provides one year validty. Any knowledge and all hints are welcome

You need to go back to the SDK to find a sample cfg file http://msdn.microsoft.com/en-us/library/ms926475.aspx /Hasain

Very helpful. Not easy to understand if you are not a developer or master mind. I got the request working. I now request for a v3 template with signature and the usage is: Authenticate Client Since the enroll process seems to work fine and I still cannot authenticate through our IAS there might be some issue with the certificate? In the enroll.cfg i specify the new certificate name though the comment sections says: "Valid values: ClientAuth, UserSignature" Is is really not possible to use a custom certificate for EAP-TLS on these clients? Subject CN=domain\username PK = RSA 1024 Bits Key Usage = Digital Signature, Non-Repudiation (c0) Enhanced Key Usage = Client Authentication (1.3.6.1.5.5.7.3.2) IAS server log says: IAS_AUTH_FAILURE It is not very handy to use the default 1 year validity period as with the ClientAuth template certificates that I got working.