3.10 Adding extensions to certificate templates
You can add extensions to the attributes for your certificate templates; these are then available for attribute mapping.
3.10.1 User SID extensions
To set up your Certificate Authority to issue certificates with user security identifier (user SID) extension for Windows authentication, you must configure the certificate template with manager approval.
For information on user SIDs, see the Including user security identifiers in certificates section in the Administration Guide.
- Open the Certificate Authority MMC Snapin.
- Expand the list for your certificate authority.
- Right-click on Certificate Templates, then select Manage from the pop-up menu.
- Select the template you want to add the user security identifier extension to, then right-click and select Properties from the pop-up menu.
- Click the Subject Name tab.
- Set the Supply in Request option.
- Click OK.
- Click the Issuance Requirements tab.
- Set the CA certificate manager approval option, then set the This number of authorized signatures box. Make sure the number of signatories is set to 1.
- Click OK.
- Click OK to close the property sheet.
-
Open a command prompt on the certificate authority server and type the following:
certutil –setreg policy\EnableRequestExtensionList +1.3.6.1.4.1.311.25.2
- Restart the certificate authority.
3.10.2 NACI extensions for PIV cards
To set up your Certificate Authority to issue certificates for PIV cards, you must also add a NACI extension to the certificate template.
- Open the Certificate Authority MMC Snapin.
- Expand the list for your certificate authority.
- Right-click on Certificate Templates, then select Manage from the pop-up menu.
- Select the template you want to add the NACI extension to, then right-click and select Properties from the pop-up menu.
- Click the Subject Name tab.
- Set the Supply in Request option.
- Click OK.
- Click the Issuance Requirements tab.
- Set the CA certificate manager approval option, then set the This number of authorized signatures box. Make sure the number of signatories is set to 1.
- Click OK.
- Click OK to close the property sheet.
-
Open a command prompt on the certificate authority server and type the following:
certutil –setreg policy\EnableRequestExtensionList +2.16.840.1.101.3.6.9.1
- Restart the certificate authority.