Hi,
Good day to you all! I hope this is the right place to ask this.
I have a few questions related to how certificate templates are being stored and distributed under an AD CS setup:
- How do the clients get a list of applicable certificate templates from the enterprise CA, which is shown at the time when a new manual certificate enrollment is performed (e.g., someone goes to certmgr and request for a new certificate)?
- How are certificate templates being stored on both the CA side and the client side? Is there a directory that the templates reside in? Or are they just a collection of Windows registries (e.g. Software\Microsoft\Cryptography\CertificateTemplateCache
under HKCU and HKLM)?
- Is it possible to programmatically read and parse certificate templates on the client side, ideally via some Microsoft provided public API? I am asking this because sometimes it is useful to check, verify and debug that
a) clients are getting all the expected templates;
b) the content of templates are as expected (particularly useful if there were templates of duplicated names, or an old template has its setting changed but the name is kept);
c) applicable clients are indeed getting the same list of templates.
Please bear with me as I am a rookie to AD CS.
Thanks!
