Overview of the availability of options when changing the compatibility settings of a certificate template

Author Uwe GradeneggerPosted on Categories Certification AuthorityTags

Since the Certificate Services management tools in Windows Server 2012, you can select the desired compatibility for the certificate authority and certificate recipient when configuring a certificate template.

The following is an overview of which options become available in each case when the compatibility settings for the certificate authority and/or the certificate recipients are changed.

Compatibility settings for the certification authority

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

From Windows Server 2003 to Windows Server 2008

  • Cryptography / Use alternate signature format (only if client compatibility is set accordingly, at least Windows Vista)
  • Cryptography / Key Storage Provider (only if client compatibility is set accordingly, at least Windows Vista)

From Windows Server 2008 to Windows Server 2008 R2

  • Server / Do not store certificates and requests in the CA database
  • Server / Do not include revocation information in issued certificates
  • Extensions / Basic Constraints (only if client compatibility is set accordingly, at least Windows 7)

From Windows Server 2008 R2 to Windows Server 2012

  • Request Handling / Renew with the same key (only if client compatibility is set accordingly, at least Windows 8)
  • Issuance Requirements / Allow key based renewal (only if client compatibility is set accordingly, at least Windows 8)
  • Extensions / Enable requestor specified issuance policies (only if client compatibility is set accordingly, at least Windows 8)

From Windows Server 2012 to Windows Server 2012 R2

  • Key Attestation / Required, if client is capable (only if client compatibility is set accordingly, at least Windows 8.1)
  • Key Attestation / Required (only if client compatibility is set accordingly, at least Windows 8.1)
  • Key Attestation / User credentials (only if client compatibility is set accordingly, at least Windows 8.1)
  • Key Attestation / Hardware certificate (only if client compatibility is set accordingly, at least Windows 8.1)
  • Key Attestation / Hardware key (only if client compatibility is set accordingly, at least Windows 8.1)
  • Key Attestation / Perform attestation only (do not include issuance policies) (only if client compatibility is set accordingly, at least Windows 8.1)

From Windows Server 2012 R2 to Windows Server 2016

  • No change

Compatibility settings for the certificate recipients

From Windows XP to Windows Vista

  • Request Handling / For automatic renewal of smart card certificates, use the existing key if a new key cannot be created
  • Cryptography / Use alternate signature format (only if server compatibility is set accordingly, at least Windows Server 2008)
  • Cryptography / Key Storage Provider (only if server compatibility is set accordingly, at least Windows Server 2008)

From Windows Vista to Windows 7

  • Extensions / Basic Constraints (only if server compatibility is set accordingly, at least Windows Server 2008 R2)

From Windows 7 to Windows 8

  • Subject Name / Use subject information from existing certificates for autoenrollment renewal request
  • Request Handling / Renew with the same key (only if server compatibility is set accordingly, at least Windows Server 2012)
  • Issuance Requirements / Allow key based renewal (only if server compatibility is set accordingly, at least Windows Server 2012)
  • Extensions / Enable requestor specified issuance policies (only if server compatibility is set accordingly, at least Windows Server 2012)

From Windows 8 to Windows 8.1

  • Key Attestation / Required, if client is capable (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
  • Key Attestation / Required (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
  • Key Attestation / User credentials (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
  • Key Attestation / Hardware certificate (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
  • Key Attestation / Hardware key (only if server compatibility is set accordingly, at least Windows Server 2012 R2)
  • Key Attestation / Perform attestation only (do not include issuance policies) (only with correspondingly set server compatibility, at least Windows Server 2012 R2)

From Windows 8.1 to Windows 10

  • No change

Related links:

2 thoughts on “Übersicht über die Verfügbarkeit von Optionen bei Veränderung der Kompatibilitätseinstellungen einer Zertifikatvorlage”

  1. Pingback: How are the compatibility settings for certificate templates technically mapped? - Uwe Gradenegger
  2. Pingback: Automatic renewal of manually requested certificates without administrator intervention - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish