Change User Certificate Template

Infineon Security Platform

Infineon Security Platform Solution

Change User Certificate Template

Using the Certificate Request Wizard, a user can select only one of the Cryptographic Service Providers (CSP) stored in the Active Directory for the appropriate certificate template. To enable the use of the Cryptographic Service Providers delivered with the Security Platform Solution for a user certificate request, the corresponding user certificate template has to be modified.

How do you edit the user certificate template stored in the Active Directory?

  1. Installation of ADSI Edit
    The user certificate template can be modified using the Active Directory Services Interface editor (ADSI editor). This editor is a Microsoft Management Snap-In which is part of the Support Tools that are located in the Support\Tools folder on the Windows 2000 Server operating system CD. To install the tools, double-click the Setup icon in that folder. For information about installing and using the Windows 2000 Support Tools and Support Tools Help, see the file Readme.doc in the Support\Tools folder of the Windows 2000 operating system CD. For more information about using ADSI Edit, see Microsoft Windows 2000 Resource Kit Tools Help.
     
  2. Start ADSI Edit

    Adsiedit.msc (the MMC snap-in for ADSI Edit) automatically attempts to load the current domain to which the user is logged on. If the computer is installed in a workgroup or otherwise not logged onto a domain, an error message "The specified domain does not exist" will occur repeatedly. To avoid problems in this situation, open mmc.exe, add the ADSI Edit snap-in manually, make any connections that are appropriate for you with whatever credentials are necessary, and then save the console file. This gives you your own default console that works with ADSI Edit.
     
  3. Select User Certificate Template

    In Adsiedit.msc the following nodes must be modified to extend a certificate template:
    CN=<name of template>, CN=Certificate Templates, CN=Public Key Services, CN=Services, CN=Configuration, DC=<name of the domain>.
     

  4. Modify User Certificate Template

    Right click the entry CN=User and in the appearing menu click on the menu item Properties.

    Select the property to view: pKIDefaultCSPs.

    Edit Attribute:
    Add the following text: <n>,Infineon TPM Cryptographic Provider (where <n> is the subsequent number in the Values list).

    Example: The Values list already has two items:
    1,Microsoft Enhanced Cryptographic Provider v1.0
    2,Microsoft Base Cryptographic Provider v1.0

    Add the following text:
    3,Infineon TPM Cryptographic Provider

    Click on Add and then Apply to store the certificate template change.

The Certification Authority (CA) is now ready to start enrolling users for Security Platform certificates.

Note: If you want to use the Cryptographic Service Providers delivered with the Security Platform Solution within other templates, the required steps are similar to those for the Active Directory described above.


©Infineon Technologies AG