1. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Certification Authority.
2. Click your certification authority to expand the root folder.
3. Right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.
4. Scroll the template list, right-click the PIV - PIV Authentication template and select Duplicate Template. The Properties of New Template dialog box appears.
5. Click the General tab, and configure the following settings:
a. In the Template display name field, enter PIV - Card Authentication. The Template name field is filled in automatically with the template display name (with no spaces).
b. Deselect Publish certificate in Active Directory.
6. Click the Request Handling tab.
7. From the Purpose drop-down list, select Signature.
When asked to confirm the change, click Yes.
8. Click the Extensions tab.
9. Select Application Policies, and then click Edit. The Edit Application Policies Extension dialog box appears.
10. Add the PIV Card Authentication object identifier as follows:
a. On the Edit Application Policies Extension dialog box, click Add. The Add Application Policy dialog box appears.
b. Click New. The New Application Policy dialog box appears.
c. In the Name field, enter PIV Card Authentication
d. In the Object Identifier field, enter 2.16.840.1.101.3.6.8
e. Click OK to create the new extension policy.
f. Click OK again to return to the Edit Application Policies Extension dialog box.
11. On the Edit Application Policies Extension dialog box, remove the application policies that are not required.
a. Select Any Purpose and click Remove.
b. Select Client Authentication and click Remove.
c. Select Smart Card Logon and click Remove.
12. Click OK to close the dialog box.
13. In the Extension tab, select Issuance Policies and then click Edit. The Edit Issuance Policies dialog box appears.
Attention: You can add PIV policies as required by your organization. The id-fpki-common-cardauth issuance policy provided in the following steps is used by the U.S. Federal Government. Organizations outside of the U.S. Federal Government may not be able to issue or use these issuance policies. You should test your CA policy configuration with the applications they intend to use to ensure compatibility. If your application does not support the issuance policy, then you should not configure it.
14. On the Edit Issuance Policies dialog box, do the following
a. Select id-fpki-common-authentication and then click Remove.
b. Click Add. The Add Issuance Policy dialog box appears.
c. Click New. The New Issuance Policy dialog box appears.
d. In the Name field, enter id-fpki-common-cardAuth.
e. Leave CPS location empty.
f. In the Object Identifier field, enter 2.16.840.1.101.3.2.1.3.17
g. Click OK to create the new issuance policy.
15. Click the Issuance Requirements tab, and do the following:
a. Deselect (disable) all of the settings.
b. Click OK.
16. Click OK to close the open dialog boxes to return to the Certificate Templates Console.
The PIV - Card Authentication certificate template is added to the list of templates.