Active Directory Certificate Services (AD CS) Integration: Create a Computer Certificate Template

By Emalee Firestein

Learn how to create a computer certificate temple for use in conjunction with Kandji's AD CS integration.

Required Settings for the Certificate Template

Below are the tabs and settings that should be configured in the certificate template:

  • Template type: The template used should be based on the default Computer template.
  • Cert authority: Windows Server 2016
  • Certificate recipients: Windows 10/Windows Server 2016
  • Subject name: Supply in the request
  • Security: 
    • Add the AD CS Connector Computer Object to the Groups or Users list.
    • The Computer Object should have Read and Enroll permissions.
    • Alternatively: a service account that has Read and Enroll can be used if desired.

If you would like to use an existing AD CS certificate template, the settings in the existing template must align with the settings listed above.

Create an AD CS Computer Certificate Template for Use with the Kandji Connector

  1. Log in to a Certificate Authority(CA) on your domain.

  2. On the server, launch the Start menu and search for the Certificate Authority snap-in.

  3. Once in the Certificate Authority snap-in, click Issuing CA. The name of the Issuing CA as it appears here in the snap-in will be needed when adding AD CS servers to the Kandji integration.

  4. Right-click the Certificate Templates folder and click Manage.

  5. In the Certificate Templates window, find the Computer template and right-click it. Then, click Duplicate Template.

  6. In the Properties window, click the General tab.

  7. Set the display name and template name to something like KandjiDevice. The template name will be needed when creating Library Items that contain AD CS certificate settings.

  8. Next, click the Compatibility tab.

  9. For Certificate Authority, select Windows Server 2016. In the change dialog, click OK.

  10. For Certificate Recipients, select Windows 10 / Windows Server 2016. In the change dialog, click OK.

  11. Click the Subject Name tab.

  12. Select the option to Supply in the request and click OK in the warning dialog.

  13. Now, click the Security tab.

  14. Under Groups or user names, click Add.

  15. In the Select Users, Computers, Service Accounts, or Groups window, click Object Types.

  16. In the Object Types window, select Computers.

  17. Click OK.

  18. In the object names search field, enter the name of the Windows server that will be used to host the AD CS Connector. In the screenshot below, lab000001 is the computer name being used

  19. While still on the Security tab, select the computer object that was just added. Then, in the Permissions section, under Allow, make sure that Read and Enroll are selected.

  20. Click Apply and then OK.

  21. Go back to the main Certificate Authority snap-in, right-click Certificate Templates again, and select New > Certificate Template to issue.

  22. Select the template you created (in our example, KandjiDevice).

  23. Click OK.

  24. Confirm that the template is shown in the list.

At this point, the certificate template is ready to go. You can now proceed with the AD CS Connector installation.