3 Structure Example

  • Article

The example in this section is a result of executing the following command on any computer that runs applicable Windows Server releases.

 certutil -v -dstemplate administrator

The command reads attributes of the "administrator" certificate template.

  
 [Administrator]
 objectClass = "top", "pKICertificateTemplate"
 cn = "Administrator"
 distinguishedName = 
     "CN=Administrator,CN=Certificate Templates,
      CN=Public Key Services,CN=Services,
      CN=Configuration,DC=contoso, DC=com"
 instanceType = "4"*
 whenCreated = "19990212152445.0Z" 2/12/1999 7:24 AM* 
 whenChanged = "20060908182747.0Z" 9/8/2006 10:27 AM*
 displayName = "Administrator"
 uSNCreated = "8221" 0x201d*
 uSNChanged = "8221" 0x201d*
 showInAdvancedViewOnly = "TRUE"*
 name = "Administrator"
 objectGUID = "0dbfa8b3-c28f-11d2-91e6-08002ba3ed3b"*
 flags = "66106" 0x1023a**
          
   (CT_FLAG_MACHINE_TYPE -- 40 (64))
 (CT_FLAG_IS_CA -- 80 (128))
  (CT_FLAG_IS_CROSS_CA -- 800 (2048))
 CT_FLAG_IS_DEFAULT -- 10000 (65536)
 (CT_FLAG_IS_MODIFIED -- 20000 (131072))
  
 revision = "4"
 *objectCategory = 
     "CN=PKI-Certificate-Template,CN=Schema,
      CN=Configuration,DC=contoso,DC=com"
 pKIDefaultKeySpec = "1"
 pKIKeyUsage = "a0 00"
 pKIMaxIssuingDepth = "0"
 pKIExpirationPeriod =  "1 Years"
 pKIOverlapPeriod =  "6 Weeks"
 pKIExtendedKeyUsage = 
     "1.3.6.1.4.1.311.10.3.1" Microsoft Trust List Signing, 
     "1.3.6.1.4.1.311.10.3.4" Encrypting File System, 
     "1.3.6.1.5.5.7.3.4" Secure Email, "1.3.6.1.5.5.7.3.2" 
     Client Authentication
 pKIDefaultCSPs = 
     "2,Microsoft Base Cryptographic Provider v1.0", 
     "1,Microsoft Enhanced Cryptographic Provider v1.0"
 dSCorePropagationData = 
     "16010101000000.0Z" EMPTY*
 msPKI-RA-Signature = "0"
 msPKI-Enrollment-Flag = "41" 0x29**
          
 CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS -- 1
 (CT_FLAG_PEND_ALL_REQUESTS -- 2)
 (CT_FLAG_PUBLISH_TO_KRA_CONTAINER -- 4)
 CT_FLAG_PUBLISH_TO_DS -- 8
 (CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE -- 10 (16))
 CT_FLAG_AUTO_ENROLLMENT -- 20 (32)
 (CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT -- 40 (64))
 (CT_FLAG_USER_INTERACTION_REQUIRED -- 100 (256))
     (CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE 
       -- 400 (1024))
 (CT_FLAG_ALLOW_ENROLL_ON_BEHALF_OF -- 800 (2048))
 msPKI-Private-Key-Flag = "16" 0x10**
  
 (CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL -- 1)
 CT_FLAG_EXPORTABLE_KEY -- 10 (16)
 (CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED -- 20 (32))
 msPKI-Certificate-Name-Flag = "-1509949440" 0xa6000000**
  
    (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT -- 1)
    (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME 
       -- 10000 (65536))
    (CT_FLAG_SUBJECT_ALT_REQUIRE_DOMAIN_DNS 
       -- 400000 (4194304))
    (CT_FLAG_SUBJECT_ALT_REQUIRE_DIRECTORY_GUID 
       -- 1000000 (16777216))
     CT_FLAG_SUBJECT_ALT_REQUIRE_UPN 
       -- 2000000 (33554432)
     CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL 
       -- 4000000 (67108864)
    (CT_FLAG_SUBJECT_ALT_REQUIRE_DNS 
       -- 8000000 (134217728))
    (CT_FLAG_SUBJECT_REQUIRE_DNS_AS_CN 
       -- 10000000 (268435456))
    CT_FLAG_SUBJECT_REQUIRE_EMAIL 
       -- 20000000 (536870912)
    (CT_FLAG_SUBJECT_REQUIRE_COMMON_NAME 
       -- 40000000 (1073741824))
    CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH 
       -- 80000000 (-2147483648)
 

*Not used by the Windows Client Certificate Enrollment Protocol.

**The flags in parentheses are optional values for the attributes that are not present in the current template. Some of the possible flags for the attribute have been removed because they are not used by the Windows Client Certificate Enrollment Protocol.<41><42>