Setup Server 2019 Enterprise CA 5/5: Deploy Policy Templates

Previous: Setup Group Policy


After Setting up an Enterprise CA some Certificate policies are available without additional configuration. In this post I will demonstrate how to add Certificate Template and publish it.

Deploy Policy Templates


1. On the Subordinate CA start the “Certification Authority” and select “Certificate Templates”. In the right pane all the out of the box templates are visible. These can be requested by Users, Computers, etc depending on the type.


2. To add a new template rightclick “Certificat Templates” and select “Manage”


3. An overview with all available templates will appear.


4. To avoid editing the original template Rightclick the template and select “Duplicate Template”


5. Give the new template a unique name and press “OK”


6. Rightclick “Certificat Templates” and select “New” -> “Certificate Template to Issue”


7. Select in the “Enable Certificate Templates” list the template which was created and press “OK”


8. The certificate is now visible in the “Certificate Templates” Pane


Test the certificate

9. Logon to a domain joined computer. Start “MMC” and select “file” -> “Add/Remove Snap-in”.


10. Select the “Certificates” snap-in and press “Add”.


11. Select “My user account” in the Certificates snap-in popup and press “Finish”. Press “OK” to close the snap-in manager. (Only select “my user account” for user templates, for computer related templates select “Computer account”)


12. Rightclick “Personal” and select “All Tasks” -> “Request New Certificate”


13. Press “Next”


14. Press “Next” (by default “Active Directory Enrollment Policy” is selected)


15. In the “Request Certificates” overview all available user related policy templates are displayed. The created template should appear. Check the box of the created template and press “Enroll”


16. The template will be requested. After a while the status should be “Succeeded”. Press “Finish” to continue.


17. The new certificate is now visible.


18. When you doubleclick the Certificate and select “Certification Path” you should see the RootCA, SubordinateCA and requested Certificate. All Certificates should be “OK”


This was the final post of the Setup Server 2019 Enterprise CA tutorial.

Add a comment if you have questions.



22 thoughts on “Setup Server 2019 Enterprise CA 5/5: Deploy Policy Templates

  1. Shawn C.

    I am having an issue with the new template no showing up when requesting a new certificate. It shows the default 4 templates , but not showing the new CA templates. If I choose for it to ‘SHOW ALL TEMPLATES” by checking that option. I see all of the templates, but they all say unavailable and have a red X

    1. Aad Lutgert Post author

      Hi Shawn,

      How did you open the certificate console (step 11). Some certificates need to be requested by the computer account (select computer account) and other by a user account (select user account). There is also a possibility you do not have permissions to enroll the certificate. Then you need to check the Security tab of the new template (see step 5).

      best regards,

      Aad Lutgert

      1. Jack Turner

        I had this problem. I could duplicate and add a template, but I couldn’t use it to issue a cert. The problem seems to have been that the time of the template was set a couple of hours in the future…not sure why. The time on the two systems was the same. Still, all I had to do is wait until after the “issue date/time” and everything worked properly.

  2. Edwin Flores

    First let me say that its been a really good guide for PKI.
    I get to the point where I am configuring the templates, so I configured a couple of templates, following duplicate as you said. when I go New>Certificate Template to Issue, so they show up as available. the new Templates are not part of the list I choose. it says that I should wait for replication, but nothing works. any idea?
    also you didnt mention anything about the configuration the IIS needs for the web enrollment service to work ( https)

    1. Aad Lutgert Post author

      Hi Edwin,

      Thanks for visiting the website. I’m not familiar with the issue you describe. Did you check the logging on client where you request the certificate and did you check if the Certificate server is accessible from your client?

      You are correct about the web enrollment service, it’s not included in this guide. I will try to add this part later.

      best regards,

      Aad Lutgert

  3. Manfred

    Great guide. Thank you.
    Since templates are replicated in AD, you need to have patients in large AD environments.
    Same is true if you delete a template en duplicate it with the same name. Better take some time between actions or never reuse a template name.

  4. Clint

    This is a great guide. I was just curious about capolicy.inf. You don’t mention it in the setup section. Do you not consider it important to configure beforehand and instead just use all default settings as they are generated? In particular, I’ve been finding no information about finding/generating a private OID to use in capolicy.inf in Server 2019 CA.

    1. Aad Lutgert Post author

      Hi Clint,

      Thanks for your comments. You are right about the capolicy.inf this guide is intended for setting up a Lab environment for testing PKI, therefore I left this part out. I will add more information about the capolicy.inf at a later time.

      Depending on your situation you can use a fictional OID (testing/private), if you want to use your PKI environment in Public you will need to request an official OID. When you do not use the capolicy.inf the OID is autogenerated by using the OID of Microsoft: You can view the generated OID by using the following PS script

      Get-ADObject (‘CN=OID,CN=Public Key Services,CN=Services,’+(Get-ADRootDSE).configurationNamingContext) -Properties msPKI-Cert-Template-OID

      An official private OID can be requested using this link:

      I hope this will help you.

    2. Aad Lutgert Post author

      Hi Clint,

      I’ve just updated the information about creating the Offline Rootca, I’ve added information about the CAPolicy.inf and also about the OID.

      regards, Aad

  5. Austin Dailey

    After trying to enroll in new certificate as shown in step 15, I get an error saying the Request denied because “The email name is unavailable and cannot be added to the Subject or Subject Alternate name.” What does this mean?

    1. Aad Lutgert Post author

      You’re probably trying to enroll a certificate which tries to add an e-mail name to the subject with an user without an e-mail address. You can add an e-mail address to the AD user (AD properties -> General -> E-Mail) or you can edit the Certificate Template (See Step 5.) and remove in the “include e-mail name in subject name” in the “Subject Name” tab.

  6. Alex

    I have generated a new certificate for use by WSUS for SSL traffic but when I import the certificate into the local machine it can’t find the other CA in the chain unless I add all three certificates.

    I get a message saying Cannot find CA or similar.

  7. Daniel

    Great tutorial. I have spent quite a few days attempting to build a PKI for my little ad-hoc lab. Your guide allowed for to complete the task successfully for the first time.

  8. PHIL

    thank you for this best guide. i want the users use certificate to connect wifi and i want to deploy certificate for all local applications. i don’t now how to do that. can you help me please?

    Tank you

  9. Daniel

    That is a wonderful tutorial! In steps 4 to 6, if I want to use the computer certificate instead of a user, would I do it the same way? Also how do I use the GPO to push the certificate instead of having all the computers request? Thanks!


Leave a Reply

Your email address will not be published. Required fields are marked *