How to deal with certificate templates on client side? RRS feed

  • Question

  • Hi,

    Good day to you all! I hope this is the right place to ask this.

    I have a few questions related to how certificate templates are being stored and distributed under an AD CS setup:

    1. How do the clients get a list of applicable certificate templates from the enterprise CA, which is shown at the time when a new manual certificate enrollment is performed (e.g., someone goes to certmgr and request for a new certificate)?
    2. How are certificate templates being stored on both the CA side and the client side? Is there a directory that the templates reside in? Or are they just a collection of Windows registries (e.g. Software\Microsoft\Cryptography\CertificateTemplateCache under HKCU and HKLM)?
    3. Is it possible to programmatically read and parse certificate templates on the client side, ideally via some Microsoft provided public API? I am asking this because sometimes it is useful to check, verify and debug that 
      a) clients are getting all the expected templates; 
      b) the content of templates are as expected (particularly useful if there were templates of duplicated names, or an old template has its setting changed but the name is kept); 
      c) applicable clients are indeed getting the same list of templates.

    Please bear with me as I am a rookie to AD CS.


    Thursday, June 23, 2016 5:28 PM