I'd like to modify the properties in the User Certificate Template, but they're greyed out. I've been trying for about 2 weeks and have not managed to get past this despite searching the web, modifying security settings, etc. I suspect I've missed out some authorisation step, but I'm still new to Server 2008 (I prefer Unix!) and I have not been able to identify it. I'd really appreciate someone helping me with this newbie problem.The server in question is a development system. I have set up an enterprise subordinate CA. I have obtained and installed and installed the server certificate from the superior CA (which is remote in this organisation, ie not in the same domain or anything). The service starts, and I have used the web interface to request a user certificate.This request fails, reasonably enough, because the server certificate is only valid for a year, and the user certificate template has a validity period of 1 year. Since the server certificate was issued some weeks ago, this would mean that the user certificate would outlive the issuing server certificate.I know I could get a 10-year server certificate, but this is a development system, so I chose instead to learn how to modify the template validity period, just as an exercise. And that's where I'm stuck. Specifically, what I do is this (though there are many other routes to the same dead end):1. Start Server Manager.2. Expand Roles.3. Expand Active Directory Certificate Services.4. Click Certificate Templates.5. Right-click User.6. Click Properties.This displays the template. The Validity period box, for example, is set at 1 year and is greyed out.Any help much appreciated.

i would like to know if your Root CA has provided all the relevant permissions to the subordinate CA please follow the below best practise guide for configuring certificate templatehttp://technet.microsoft.com/en-us/library/cc770794.aspxhope this helpssainath Windows Driver Development

Sainath Into Driver Development said: i would like to know if your Root CA has provided all the relevant permissions to the subordinate CA please follow the below best practise guide for configuring certificate templatehttp://technet.microsoft.com/en-us/library/cc770794.aspxhope this helpssainath Windows Driver DevelopmentThanks, Sainath. The root CA has done no more than issue a certificate for my CA. They are not in a position to provide any other permissions as we are fairly independent. The certificate allows my subordinate CA to issue certificates.I'll take a look at the "best practice" today and report back.Thanks again.

great!,if you need any assistance do post us sainath Windows Driver Development

Hi,User templates is Version 1 certificate templates that cannot be modified or removed. You can duplicate User template to modify. For more information about Version 1 certificate templates, please refer to the following article:http://technet.microsoft.com/en-us/library/cc787165.aspx Just Right-click User template in Certificate Templates console. Choose Duplicate Template. For your reference:Modify a Certificate Templatehttp://technet.microsoft.com/en-us/library/cc758546.aspx.Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

OK, I'm not making any progress. Some notes on each page below. I guess I have not switched something on somewhere, but I can't see what it is. I sure would appreciate a hefty kick in the right direction.Mervyn Zhang's comment is interesting. In the Certificate Templates container, there are different "Minimum supported CAs" and "Version" entries. I can modify templates except "Windows 2000" ones. Mervyn suggests using "duplicate" to effect a modification. I can create a duplicate, but I can't replace the original, so it doesn't help.Notes from Deploying Certificate Templates page (http://technet.microsoft.com/en-us/library/cc770794.aspx):Best Practices for Deploying Certificate TemplatesDo not delete the Cert Publishers security group. OK, it's there, and it has my test system as a member. (It also has the live but temporary CA also present. I don't see why that should be relevant, but hey.)Add the CA computer accounts ... OK, it's already there.Do not exceed the certificate lifetime of the issuing CA. Well, that's the problem I'm trying to solve. Incidentally, this bullet says that the validity period is truncated. That's not what happens to me: the certificate is not issued at all.Plan certificate templates before deployment. Well, that's what I'm trying to do, by playing around with a test system.Upgrade ... I'm using Windows Server 2008, so I assume no upgrade is required.Duplicate new templates ... I can do that, but I cannot replace the original with the duplicate, so it does not help.Determine publication points ... I'm not sure what this means. I'm happy to have one CA that issues everything. No action taken.Minimize the number of issued certificates. Done! The number is zero. :-)Publishing Certificate TemplatesAs far as I can tell I am logged in as administrator, and am a member of all the necessary groups. Do I *have* to set up a new group and give it permissions? I have tried playing with permissions in the Certificate Template security tab, but it has no effect.Autoenrollment ConsiderationsI am not using autoenrollment.Configuring permissions for a Certificate TemplateThese instructions are to control who can enroll or autoenroll. Not relevant.Publishing a Certificate TemplateEverything in this section works as described.Notes from Modify a Certificate Template page (http://technet.microsoft.com/en-us/library/cc758546.aspx):I didn't get past the first section:Supersede templatesI'm not sure I want to supersede anything, but there is no "Superseded Templates" tab for the User template. But I do, on the Workstation Authentication template.

Hi,Since two templates cannot have the same name and User Template cannot be modified or removed, you cannot replace it simply. If you need to issue the new modified template for User certificates, you may have to submit it manually from web or certreq.exe. Regarding creating new user group to publish Certificate Templates, its not mandatory. You can choose based on your organization. Regarding Supersede templates, the procedure is applicable to version 2 templates, not the User Template. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Hi there,certificate architecture doesnt allow you to create 2 templates with same name and the error you are seeing is because of the design.as mervyn suggested please follow the stepssainath Windows Driver Development

Thanks for your help - the facts are slowly beginning to sink in. There is such a flood of information it is hard to find the essential bits. I now understand that the User Certificate Template is version 1, and version 1 templates cannot be modified or removed. A version 1 template can be duplicated, creating a version 2 template that can be modified. But since version 1 templates cannot be removed, it is not possible to replace a version 1 template with a version 2 template of the same name. I am stuck with an immutable User Certificate Template.When an ordinary user tries to use the web interface to the Windows Certificate Services to request a certificate, it results in the error message:Your Request Id is 4. The disposition message is "Error Constructing or Publishing Certificate The certificate validity period will be shorter than the User Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.". [my emphasis]but it is not possible to reduce the template validity period, because the User Certificate Template is version 1. The only option is to renew the CA certificate with a longer validity period.

Well what Mervyn Zhang said was correct.But you should perform the following steps:1. Duplicate the "User Certificate" template. Name it "User Certificate Custom" as an example2. Edit the properties of the "User Certificate Custom": change the validity period (< than one year, if this is possible?) and perhaps on the "superseded tab" stat this certificate template is the follow up of the original "User Certificate" template3. Wait a bit till the new template is replicated in AD4. In the Certificate Authority MMC, right-click the "Certificate templates" folder, choose task, issue new template and choose your "User Certificate Custom"5. "Delete" the "User Certificate" template from the issued templates. This will not delete the template as is, but just the fact that it can be used to issue certificates from.6. Go to the ca/certsrv website and use the webenrollment pages to request a certificate and choose "User Certificate Custom" from the drop down.BIG PS:You will not succeed with step 4 if you installed the Certificate Authority role on a Windows 2008 STANDARD edition! V2 and V3 templates, templates you duplicated and edited, require an ENTERPRISE edition of the OS!Beware if you perform an in place upgrade from standard to enterprise you might have to do the following stuff to actually make your templates issueable:http://virdep.wordpress.com/2009/02/14/certificate-templates-cant-be-issued-after-an-implace-upgrade-of-windows-2008-to-the-enterprise-edition/

Hi,The error "The certificate validity period will be shorter than the User Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA" may occur if your subordinate CA get certificate with a very short validity period from root CA. Its suggested to renew the root CA certificate and then renew subordinate CA certificates. "To illustrate how a decreasing validity period works, consider the following scenario: An organization installs a root CA with a certificate validity period of five years. The organization then uses this root CA to issue certificates with a validity period of two years to subordinate CAs. For the first three years every certificate issued to a subordinate CA by the root CA will continue to have a validity period of two years. After three years, when there is less than two years left in the validity period of the root CA certificate, Certificate Services begins to reduce the validity period of the certificates issued by the root CA so that they do not exceed the end of the CA's certificate's expiration date. Therefore, after four years, the CA issues subordinate CA certificates that are valid for one year. After 4.5 years, issued subordinate CA certificates have a validity period of only six months."For more information, please refer to the following article. http://technet.microsoft.com/en-us/library/cc740209.aspx Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Thomas -Thanks for your suggestion. I followed the steps 1-5 with no problem, and duplicated the User template to "CS User". But at step 6 the new template does not appear in the drop down menu. From Google I found that this is likely to be a DACL problem, which I *guess* I can fix by checking the appropriate boxes on the security tab of the certificate template's properties - is that right?If I log in as a Domain User, the menu shows: Basic EFS, User Signature Only.If I log in as the Domain Administrator (or possibly Enterprise Administrator, I'm not sure), the menu shows: Administrator, Basic EFS, EFS Recovery Agent, User Signature Only, Subordinate Certification Authority, Web Server.But when I compare the security tabs of these templates, CS User has all the permissions that Basic EFS has, plus more. Other templates, like Computer, have the same settings as Basic EFS, but do not appear in the drop down menu. The conclusion is that the security tab does not control whether the template appears in the menu - so what does control it? Is the DACL something other than the security tab settings?

You don' t happen to have choosen "Windows 2008" as template version whilst duplication the original template?It's a known issue that Windows 2008 templates cannot be enrolled by the website. They can be enrolled by just using the certificates mmcSource: http://blogs.technet.com/ad/archive/2008/06/30/2008-web-enrollment-and-version-3-templates.aspxAs of permissions, I think "enroll" and perhaps "read" should be enough...