Windows Server

How to create a certificate template for BitLocker Network Unlock

The certificate template defines the policies and rules that a CA uses when a request for a certificate is received. Certificate template adds some versatility to your PKI environment and helps reduce overhead. When creating your own template, you have multiple options that will guide the CA on how to handle incoming requests and these templates can be viewed using the Certificate Templates snap-in. See this guide on how to install and configure AD Certificate Services. Also see the following interesting how-to articles on how to import a certificate into the Trusted Root and Personal file certificate store, how to request a certificate signing request in Windows using Microsoft Management Console, and how to export a certificate in PFX format in Windows.

Note: In order to get rid of the annoying warnings when you open some pages on the internet or a web session on vCenter etc, you will have to deploy a digitally signed certificate on the web server. Without it, you are required to acknowledge the risk of connecting to the site. 
- To mitigate this, I will be setting up Active Directory Certificate Services to help issue and sign certificates.

Now you will agree with me that certificates are a powerful tool for proving one’s identity online. The owner of a certificate can digitally sign data, and a verifier can use the public key from the certificate to verify it. A properly configured Active Directory Certificate Services (Certification Authority) can use the certificate template to create and issue certificates. There are different ways to launch the Certificate Template Console and I will be showing the two of them. The first is via the Server Manager and the second is through the certificate template snap-in (certtmpl.msc).

1: Via the Server Manager: Click on Tools and select Certification Authority as shown below

This will open up the certification Authority window as shown below. Right-click on “Certificate Template” and
– Click on Manage, this will open up the Certificate Template Console

2: Via the Snap-in console (certtmpl.msc): In this method, you will have to type in the "certtmpl.msc" in the Windows Search button or from the run dialog box. To fire up this console from the run dialog box,
- Search for run and type "certtmpl.msc" as shown below

Regardless of the method you chose to use, it will open up the Certificate Template Console as you can see below.

Use-case: Now I will be creating a certificate template for BitLocker Network Unlock. For more on this topic, see the following guide “How to configure Bitlocker Network Unlock“. To do this, locate the user template.
– Right-click the template name, and
– Select Duplicate Template.

This will open up the Properties of the new template. On the Compatibility tab, change the Certification Authority and Certificate recipient fields to Windows Server 2016 and Windows 10/Windows Server 2016, respectively.
Note: Ensure all resulting changes are selected by pressing ok.

Select the General tab of the template.
– The Template display name and Template name should clearly identify that the template will be used for Network Unlock.
– Clear the check box for Publish certificate in Active Directory.

Select the Request Handling tab.
– In the Purpose drop-down menu, select Encryption and click on YES to accept the change to certificate purpose.
– Ensure the Allow private key to be exported option is selected.

Select the Cryptography tab.
– Set the Minimum key size to 2048. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using Microsoft Software Key Storage Provider).
– Select Requests must use one of the following providers.
– If you have multiple providers, please clear all options except for your selected cryptography provider, such as the Microsoft Software Key Storage Provider.

Select the Subject Name tab. Select Supply in the request. On the certificate templates dialog box prompt, select OK.

Select the Issuance Requirements tab. Then select both CA certificate manager approval and Valid existing certificate.

Select the Extensions tab. Then select Application Policies and click on Edit.
– In the Edit Application Policies Extension dialog box, select Client Authentication, Encrypting File System, and Secure Email.
– Then choose Remove.

In the same Edit Application Policies Extension dialog box as above,
– Click on Add.

In the Add Application Policy dialog box, select New.

In the New Application Policy dialog box, enter the following information in the space provided, and then select OK to create the BitLocker Network Unlock application policy.
- Name: BitLocker Network Unlock
- Object Identifier:

Select the newly created BitLocker Network Unlock application policy, and then select OK as shown below.

Clic on ok again to close this window below

With the Extensions tab still open, select Edit Key Usage Extension, and then ensure the “Allow key exchange only with key encryption (key encipherment)” is selected.
– Then select Make this extension critical.

Select the Security tab. Confirm that the Domain Admins group has been granted “Enroll Permission”.

Select OK to complete the configuration of the template. We now have a template configured for BitLocker Network Unlock as shown below.

Let’s publish the created template and make it available on the CA. To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (certsrv.msc).
– Right-click Certificate Templates, and
– Choose New, Certificate Template to Issue.

Now select the created BitLocker Network Unlock certificate and click on OK.

As you can see, the template is now available in the certificate authority as shown below.

I welcome you to subscribe to my YouTube Channel. I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x