%3CLINGO-SUB%20id%3D%22lingo-sub-1128704%22%20slang%3D%22en-US%22%3EActive%20Directory%20Certificate%20Services%20Frequently%20Asked%20Questions%20-%20needs%20your%20help!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1128704%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Aug%2008%2C%202011%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20style%3D%22font-size%3A%20small%3B%22%3E%20If%20you%20have%20commonly%20asked%20questions%20about%20certificate%20services%20or%20PKI%20that%20you%20think%20should%20be%20listed%20in%20the%20%3CA%20title%3D%22AD%20CS%20FAQ%22%20href%3D%22http%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2Fad-cs-faq.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Active%20Directory%20Certificate%20Services%20Frequently%20Asked%20Questions%20(AD%20CS%20FAQ%20%3C%2FA%3E%20)%20list%2C%20I%20encourage%20you%20to%20submit%20them%20to%20the%20TechNet%20Wiki%20posting%20%3CA%20title%3D%22AD%20CS%20FAQ%22%20href%3D%22http%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2Fad-cs-faq.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20http%3A%2F%2Fsocial.technet.microsoft.com%2Fwiki%2Fcontents%2Farticles%2Fad-cs-faq.aspx%20%3C%2FA%3E%20.%20Don't%20worry%20about%20the%20formatting%2C%20I%20can%20clean%20that%20up%2C%20if%20needed.%20Also%2C%20if%20you%20would%20rather%20have%20me%20add%20something%20for%20you%2C%20feel%20free%20to%20just%20reply%20to%20this%20blog.%20Thank%20you!%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1128704%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TECHNET%20on%20Aug%2008%2C%202011%20If%20you%20have%20commonly%20asked%20questions%20about%20certificate%20services%20or%20PKI%20that%20you%20think%20should%20be%20listed%20in%20the%20Active%20Directory%20Certificate%20Services%20Frequently%20Asked%20Questions%20(AD%20CS%20FAQ)%20list%2C%20I%20encourage%20you%20to%20submit%20them%20to%20the%20TechNet%20Wiki%20posting%20http%3A%2F%2Fsocial.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1128704%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EKurtHudson%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1266359%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Certificate%20Services%20Frequently%20Asked%20Questions%20-%20needs%20your%20help!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1266359%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F315057%22%20target%3D%22_blank%22%3E%40NoMoePwds%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20may%20not%20be%20a%20frequently%20asked%20question%20but%20hoping%20someone%20can%20answer%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20trying%20to%20figure%20out%20what%20I%20needed%20to%20do%20to%20ensure%20a%20new%20certificate%20template%20had%20an%20extension%20with%20the%20%3CSPAN%3EBMP%20data%20value%20%22DomainController%22%20I%20incorrectly%20added%20a%20new%20EKU%20named%20%22DomainController%22%20with%20the%20OID%20value%26nbsp%3B1.3.6.1.4.1.311.20.2%20(in%20a%20test%20environment).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECertificate%20Templates%20Console%20-%26gt%3B%20Duplicate%20template%20-%26gt%3B%20Extensions%20tab%20-%26gt%3B%20Application%20Policies%20-%26gt%3B%20new%20EKU%20added%20via%20Edit%20Application%20Policies%20Extension%20window.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20it%20possible%20to%20delete%20it%20(rather%20than%20just%20remove%20it%20from%20the%20template)%3F%26nbsp%3B%20W%3C%2FSPAN%3E%3CSPAN%3Ehat%20is%20the%20BMP%20data%20value%20referring%20to%20-%20the%20Certificate%20Template%20Name%20extension%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1344373%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Certificate%20Services%20Frequently%20Asked%20Questions%20-%20needs%20your%20help!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1344373%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20never%20dealt%20with%20this.%26nbsp%3B%20I%20simply%20use%20one%20of%20the%20existing%20Domain%20Controller%20templates%20to%20create%20new%20ones.%26nbsp%3B%20Mainly%20the%20Kerberos%20Authentication%20template%20now%20days.%26nbsp%3B%20I've%20never%20had%20any%20issues%20where%20I%20had%20to%20validate%20this%20setting%20and%20it%20is%20only%20present%20in%20the%20article%20leveraging%203rd%20party%20certificates%20for%20CA's.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1344721%22%20slang%3D%22en-US%22%3ERe%3A%20Active%20Directory%20Certificate%20Services%20Frequently%20Asked%20Questions%20-%20needs%20your%20help!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1344721%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F315057%22%20target%3D%22_blank%22%3E%40NoMoePwds%3C%2FA%3EMany%20thanks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

First published on TECHNET on Aug 08, 2011

If you have commonly asked questions about certificate services or PKI that you think should be listed in the Active Directory Certificate Services Frequently Asked Questions (AD CS FAQ ) list, I encourage you to submit them to the TechNet Wiki posting http://social.technet.microsoft.com/wiki/contents/articles/ad-cs-faq.aspx . Don't worry about the formatting, I can clean that up, if needed. Also, if you would rather have me add something for you, feel free to just reply to this blog. Thank you!

3 Comments
New Contributor

@NoMoePwds 

 

This may not be a frequently asked question but hoping someone can answer it.

 

In trying to figure out what I needed to do to ensure a new certificate template had an extension with the BMP data value "DomainController" I incorrectly added a new EKU named "DomainController" with the OID value 1.3.6.1.4.1.311.20.2 (in a test environment).

 

Certificate Templates Console -> Duplicate template -> Extensions tab -> Application Policies -> new EKU added via Edit Application Policies Extension window.

 

Is it possible to delete it (rather than just remove it from the template)?  What is the BMP data value referring to - the Certificate Template Name extension?

 

Many thanks

Microsoft

I have never dealt with this.  I simply use one of the existing Domain Controller templates to create new ones.  Mainly the Kerberos Authentication template now days.  I've never had any issues where I had to validate this setting and it is only present in the article leveraging 3rd party certificates for CA's.  

New Contributor

@NoMoePwdsMany thanks