Issue and Distribute the Certificate

Once the certificate template is created in the Certificate Templates snap-in and has replicated to all domain controllers in the forest, it can now be published for deployment. The final task for publishing the certificate template is to select it for the Certification Authority (CA) to issue.

Issue the Certificate

To define which certificate templates are issued by a CA:

  1. In Administrative Tools, click Certification Authority.
  2. In the console tree, expand the CAName (where CAName is the name of your enterprise CA).
  3. In the console tree, select the Certificate Templates container.
  4. Right-click Certificate Templates, and then click New > Certificate Template to Issue.
  5. In the Enable Certificate Templates dialog box, select the Privilege Management for Windows Configuration certificate template you want the CA to issue, and then click OK.

Distribute Public Keys

For signature verification to be successful at every client that reads signed Privilege Management for Windows settings, a chain of trust must be established. For this to be done, a suitable trust point must be distributed to each client that receives the Privilege Management for Windows settings. This should be done automatically when using a Microsoft enterprise CA.

Alternatively, public keys can be distributed using Group Policy.

If you rely on third party providers for certificates, for example, not internal PKI, you will succeed by asking for a "key signing ceremony" that allows you to specify the certificate parameters such as custom "extended key usage" values as described in this appendix.

For more information on distributing public keys using Group Policy, please see Distribute Certificates to Client Computers by Using Group Policy.