To clone a certificate template from a Windows 2000 CA to a Windows Server 2008 CA, follow these steps:
| 1. | On the Windows 2000 CA, view the available certificate templates. To do this, run the following command at a command prompt.Certutil �dstemplate [Version]
Signature = "$Windows NT$"
�
[User]
cn = "User"
displayName = "User"
flags = "66090"
instanceType = "4"
distinguishedName = "CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=2000dom,DC=local"
objectCategory = "CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=2000dom,DC=local"
objectClass = "top", "pKICertificateTemplate"
objectGUID = "ceaffe04-94aa-4b61-a47b-08a57cf51465"
pKIDefaultCSPs = "4,Microsoft Base DSS and Diffie-Hellman Cryptographic Provider", "3,Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider", "2,Microsoft Base Cryptographic Provider v1.0", "1,Microsoft Enhanced Cryptographic Provider v1.0"
pKIDefaultKeySpec = "1"
pKIExpirationPeriod = "1 Years"
pKIExtendedKeyUsage = "1.3.6.1.4.1.311.10.3.4", "1.3.6.1.5.5.7.3.4", "1.3.6.1.5.5.7.3.2"
pKIKeyUsage = "a0 00"
pKIMaxIssuingDepth = "0"
pKIOverlapPeriod = "2 Weeks"
name = "User"
revision = "0"
showInAdvancedViewOnly = "TRUE"
uSNChanged = "20244"
uSNCreated = "20244"
whenChanged = "20060117190533.0Z"
whenCreated = "20060117190533.0Z"
�
[TemplateList]
�
Template = "User"
�
|
| 2. | Save the certificate template that you want to clone to a file. To do this, run the following command at a command prompt.Certutil -dstemplate TemplateName > FilePath Certutil �dstemplate User > C:\User.txt [Version]
Signature = "$Windows NT$"
[User]
objectClass = "top", "pKICertificateTemplate"
cn = "User"
distinguishedName = "CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=2000dom,DC=local "
instanceType = "4"
whenCreated = "19990608221419.0Z"
whenChanged = "20021024235511.0Z"
displayName = "User"
uSNCreated = "19159"
uSNChanged = "118448625"
showInAdvancedViewOnly = "TRUE"
name = "User"
objectGUID = "79fbccec-1def-11d3-88a3-0008c74b8ad3"
flags = "197178"
revision = "3"
objectCategory = "CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=2000dom,DC=local "
pKIDefaultKeySpec = "1"
pKIKeyUsage = "a0 00"
pKIMaxIssuingDepth = "0"
pKIExpirationPeriod = "1 Years"
pKIOverlapPeriod = "6 Weeks"
pKIExtendedKeyUsage = "1.3.6.1.4.1.311.10.3.4", "1.3.6.1.5.5.7.3.4", "1.3.6.1.5.5.7.3.2"
pKIDefaultCSPs = "2,Microsoft Base Cryptographic Provider v1.0", "1,Microsoft Enhanced Cryptographic Provider v1.0"
[TemplateList]
Template = "User"
CertUtil: -dsTemplate command completed successfully.
|
| 3. | Open the file, and then replace the certificate template name with a new name for the following attributes:| � | cn | | � | distinguishedName | | � | displayName | | � | name | | � | Template |
For example, the file contains the following information.[User]
cn = "User"
distinguishedName = "CN=User�
displayName = "User"
name = "User"
Template = "User"
[UserDuplicate]
cn = "UserDuplicate"
distinguishedName = "CN=UserDuplicate�
displayName = "UserDuplicate"
name = "UserDuplicate"
Template = "UserDuplicate"
|
| 4. | Remove the following attributes and the last line from the file:| � | whenCreated | | � | whenChanged | | � | uSNCreated | | � | uSNChanged | | � | objectGUID |
For example, you remove the following information from the User.txt file.whenCreated = "19990608221419.0Z"
whenChanged = "20021024235511.0Z"
uSNCreated = "19159"
uSNChanged = "118448625"
objectGUID = "79fbccec-1def-11d3-88a3-0008c74b8ad3"
CertUtil: -dsTemplate command completed successfully.
[Version]
Signature = "$Windows NT$"
[User]
objectClass = "top", "pKICertificateTemplate"
cn = "UserDuplicate"
distinguishedName = "CN=UserDuplicate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=2000dom,DC=local"
instanceType = "4"
displayName = "UserDuplicate"
showInAdvancedViewOnly = "TRUE"
name = "UserDuplicate"
flags = "197178"
revision = "3"
objectCategory = "CN=PKI-Certificate-Template,CN=Schema,CN=Configuration,DC=2000dom,DC=local "
pKIDefaultKeySpec = "1"
pKIKeyUsage = "a0 00"
pKIMaxIssuingDepth = "0"
pKIExpirationPeriod = "1 Years"
pKIOverlapPeriod = "6 Weeks"
pKIExtendedKeyUsage = "1.3.6.1.4.1.311.10.3.4", "1.3.6.1.5.5.7.3.4", "1.3.6.1.5.5.7.3.2"
pKIDefaultCSPs = "2,Microsoft Base Cryptographic Provider v1.0", "1,Microsoft Enhanced Cryptographic Provider v1.0"
[TemplateList]
Template = "UserDuplicate"
|
| 5. | Copy the file to the Windows Server 2008 CA in the domain, and then run the following command at a command prompt to add the new certificate template to the forest.Certutil �dsaddtemplate FileName C:\>certutil -dsaddtemplate FileName
[NewTemplateName]
Created DS Template: NewTemplateName
CertUtil: -dsAddTemplate command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.
|
| 6. | Restart the Certificate Services service (CertSvc). |