Consolidating certificate templates from multiple forests

Copying account forest certificate templates into the resource forest

1. Start Windows Powershell. Change the current directory to the location of the PKISync.ps1 script. 2. Copy the certificate template from the account forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Template -cn . Note If a certificate template in the resource forest has the same name as the certificate template you want to copy from the account forest, you must rename the certificate template in the account forest before copying the template to the resource forest. See Rename a Certificate Template. 3. Copy the OID container from the account forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Oid –f and press ENTER. 4. Grant administrators permissions on the certificate template in the resource forest. Grant Full control to Enterprise admins group, which is the equivalent of default certificate template permissions. Alternatively, you can define custom permissions according to your organization’s security policy. See the Security Tab section of Extensions Tab. 5. Grant domain members permissions on the certificate template in the resource forest. Grant Read, Enroll, and Autoenroll permissions to the intended users. The access control list defined on the certificate template in the account forest is preserved during the copy operation, but you should verify permissions are correct and grant permissions to additional users in other account forests as needed. See the Security Tab section of Administering Certificate Templates. 6. Publish the root CA certificate from the account forest to the resource forest by using Certutil.exe at a command prompt to run the following commands: a. certutil -config \ -ca.cert If you are logged on to the CA you can omit the connection information, -config \ to connect to the local CA. b. certutil -dspublish -f RootCA 7. Publish enterprise CA certificates from the account forest into the NTAuthCertificates and AIA containers in the resource forest. a. certutil -config \ -ca.cert b. certutil -dspublish -f NTAuthCA c. certutil -dspublish -f SubCA Note Steps 6 and 7 are required because renewal requests can be signed by certificates issued by CAs in the account forests. The CA certificates from the account forests are required for issued certificates from account forests to be valid in the resource forest. 8. Assign the certificate template to an enterprise CA in the resource forest. See Add a Certificate Template to a Certification Authority. 9. Copy the assigned enterprise CA object from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type CA -cn –f. To determine the CA sanitized name, log on to the CA, start a command prompt, type Certutil.exe and press ENTER. The sanitized name is displayed in the command output. 10. Copy the certificate template object from the resource forest by using the command .\PKISync.ps1 -sourceforest -targetforest -type Template -cn –f. 11. Remove the old certificate template from enterprise CAs in the account forest by using the Certification Authority snap-in. Click Certificate Templates, right-click the old certificate template, and click Delete.