CIV Certificate Templates

New CA certificate templates dedicated to CIV Commercial Identity Verification can be defined in the CA. You can issue CIV cards with all the CAs that are supported by ActivID CMS.

Getting Started

  1. Run mmc.exe to open the Microsoft Management Console.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Available snap-ins window, click Certificate Template, and then click Add.

  4. Click OK.

  5. In the console tree, expand your CA.

  1. In the list of templates provided by default by Microsoft CA, right-click on Smartcard Logon template, and select Duplicate Template.

  2. In the General tab, clear the Publish certificate in Active Directory option (if selected), and then click OK.

  3. In the Request Handling tab, from the Purpose drop-down list, select Signature and smartcard logon.

  4. Select the Prompt the user during enrollment option, and then click OK.

  5. In the Cryptography tab, select the Algorithm name, Minimum key size (should be set to 2048), and Hash algorithm (should be set to SHA256). Then, click OK.

  6. In the Extensions tab, in the Extension included in this template section, select Application Policies, and then click Edit.

  7. In the Description of Application Policies box, verify that the Client Authentication and Smart Card Logon policies are present, and then click OK.

  8. In the Extension included in this template section, select Issuance Policies.

  9. Verify that no issuance policies are added.

  10. In the Issuance Requirements tab, edit the settings as follows:

    1. Select the This number of authorized signatures option. This allows ActivID CMS to issue a card. In the text box, enter the required number.

    2. From the Application policy drop-down list, select Certificate Request Agent.

    3. Select the Same criteria as for enrollment option.

    4. Click OK.

  11. In the Security tab, click Authenticated Users and, in the Allow column, select the Read and Enroll permissions. Then, click OK.

  1. In the list of templates provided by default by Microsoft CA, right-click on the User template, and then select Duplicate Template.

  2. Select a template, and then click OK.

  3. In the Issuance Requirements tab, select This number of authorized signatures (if it is not already selected).

  4. In the Request Handling tab, next to Purpose, select Signature.

  5. In the Subject Name tab, select Supply in the request. The Subject Name is supplied by ActivID CMS.

  6. For a Windows 2008 Server CA, configure the Minimum key size to 2048, and select the Hash algorithm (should be set to SHA256).

  7. In the Extensions tab, in the Extension included in this template box, select Application Policies, and then click Edit.

  8. In the Edit Application Policies Extension window, select the policy that you want to remove, and then click Remove.

  9. Delete all policies, except the Client Authentication policy. Verify the Client Authentication description and then click OK.

  10. Go back to the Extensions tab and select Issuance Policies, and then click Edit.

  11. Verify that no issuance policies are added.

  12. Click OK.

  1. In the list of default templates provided by Microsoft CA, right-click on the User Signature Only template, and then select Duplicate Template.

  2. Select a template, and then click OK.

  3. In the Issuance Requirements tab, select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

  4. From the Application policy drop-down list, select Certificate Request Agent.

  5. In the Subject Name tab, for CIV mode, select Build from this Active Directory information. Make sure that only E-mail name is selected to be included in the alternate subject name.

  6. In the Security tab, in the Group or user name section, select Authenticated Users.

  7. Select the Read and Enroll permissions.

  8. In the Cryptography tab, for a Windows 2008 Server CA, configure the Minimum key size to 2048, and select the Hash algorithm (should be set to SHA256).

  9. In the Request Handling tab, next to Purpose, select Signature.

  10. Click OK.

  1. In the list of default templates provided by Microsoft CA, right-click on the Exchange User template, and then select Duplicate Template.

  2. In the Issuance Requirements tab, select the This number of authorized signatures option. This allows ActivID CMS to issue a card.

  3. From the Application policy drop-down list, select Certificate Request Agent.

  4. In the Subject Name tab, for CIV mode, select Build from this Active Directory information.

  5. In the Request Handling tab, select the Encryption option.

  6. In the Extensions tab, in the Extension included in this template section, select Issuance Policies.

  7. Verify that no issuance policies are added.

  8. In the General tab, select Publish certificate in Active Directory

  9. Click OK.