Certificate Templates and Enrollment Rights Brief
What They Control
Certificate templates define what a certificate will contain — purpose (EKU), validity, key properties, and whether the requester can specify the subject identity. Enrollment rights control who can request certificates using each template. Together they determine whether a certificate request path is safe or dangerous.
Mental Model
A template is an order form at the passport office. It determines what passport you get and whether you can fill in someone else's name. Enrollment rights determine who can submit the form. A dangerous form lets you write any name, grants full access, and is available to any employee.
Dangerous Combination
- ENROLLEE_SUPPLIES_SUBJECT enabled — requester can specify any identity
- Authentication-capable EKU — Client Auth, Smart Card Logon, PKINIT Client Auth, or Any Purpose
- Low-privilege enrollment — Domain Users or Authenticated Users can enroll
- No manager approval — certificates issued automatically without review
- No authorized signatures required — no additional gates
Common Confusion
- Thinking the CA decides who gets what — the CA follows the template without independent judgment
- Confusing enrollment rights with template configuration — they control different things; both must be restrictive
- Assuming all templates are equally risky — the specific combination of settings determines risk
- Believing many templates equals more risk — the number does not matter; configuration does
Interview Phrasing
Templates define what a certificate can do and who can request it. The dangerous combination: enrollee supplies subject, authentication EKU, and low-privilege enrollment. When all three are present, any domain user can get a certificate as any identity. The CA issues it because the template says to.