Creating the certificate templates

The certificate templates you create can be used for configuring WiFi, VPN, and Exchange. The Certificate Authority server uses these templates to generate the client certificate that is installed on devices. When you configure WiFi, VPN, and Exchange to use a certificate template, you must ensure that the connector service account has Read and Register permissions. The following screenshot provides a reference. If you do not give these permissions, we cannot find the templates.

You create certificate user and computer templates on the Active Directory certificate authority server you defined. (see How to select the policy service for device management). The templates you create must be named as follows, including the uppercase letters:

Computer-ClientAuth

User-ClientAuth

In some cases, you specify in the profile which type of certificate (user or computer) to use for authentication (for example, the iOS Wi-Fi profile) while others require you to use either the computer or the user certificate. To simplify profile configuration, we recommend creating both templates.

You use the Microsoft Management Console (MMC) on the certification authority server designated in the Centrify Connector to create the templates.

  1. Launch certsrv.msc or the Certificate Authority console on the Windows server with the certification authority installed.
  2. Expand the certification authority, right-click Certificate Templates, and click Manage.

  3. Right-click Computer choose Duplicate Template.

    To create the User-ClientAuth template, you right-click User instead and then choose Duplicate Template.

  4. Click the Compatibility tab, select Windows Server 2008 and click OK.

  5. Click the General tab and enter Computer-ClientAuth in the Template display name text box.

    This action also automatically fills in the Template name field.

    If you are creating the user template, enter User-ClientAuth instead.

  6. Set the Validity period: and Renewal period values.
  7. Click the Subject Name tab and select Supply in the request.
  8. Click the Security tab, select Authenticated Users and select the Register permission.
  9. On the same tab, select Domain Computers and select the Register permission.
  10. Click OK and close the Certificate Templates Console.
  11. In the MMC, right-click Certificate Templates, click New, and click Certificate Template to Issue.

  12. Click Computer-ClientAuth and click OK.

    If you are creating the user template, click User-ClientAuth instead and click OK.

    The templates you create should now appear in the Certificate Templates folder.