1. On the Microsoft CA machine, go to Tools and select Certification Authority.
2. Click your certification authority to expand the root folder.
3. Right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.
4. Scroll the template list, right-click the PIV - PIV Authentication template and select Duplicate Template. The Properties of New Template dialog box appears.
5. Click the General tab, and configure the following settings:
a. In the Template display name field, enter PIV - Content Signer (device). The Template name field is filled in automatically with the template display name (with no spaces).
b. Deselect Publish certificate in Active Directory.
6. Click the Request Handling tab, and do the following:
a. From the Purpose drop-down list, select Signature.
When asked to confirm the change, click Yes.
b. Select Allow Private Key to be exported.
c. Select Enroll subject without requiring any user input under "Do the following when the subject is enrolled and when the private key associated with this certificate is used."
7. Click the Issuance Requirements tab, and do the following:
a. Select This is the number of authorized signatures and enter 1 in the text box.
b. From the Policy Type required signature drop-down list, select Application policy.
c. From the Application Policy drop-down list, select Certificate Request Agent.
8. Click the Subject Name tab, and do the following:
a. Select Build from this Active Directory information.
b. Select Fully Distinguished Name from the Subject name format drop-down list.
c. Select the User principal name (UPN) check box.
9. Click the Extensions tab and do the following:
a. Select Application Policies, and then click Edit. The Edit Application Policies Extension dialog box appears.
b. Add the PIV Content Signing object identifier (PID) as follows:
i) On the Edit Application Policies Extension dialog box, click Add. The Add Application Policy dialog box appears.
ii) Click New. The New Application Policy dialog box appears.
iii) In the Name field, enter PIV Content Signing.
iv) In the Object Identifier field, enter 2.16.840.1.101.3.6.7
v) Click OK.
vi) Click OK again to return to the Edit Application Policies Extension dialog box.
c. On the Edit Application Policies Extension dialog box, remove the application policies that are not required.
i) Select Client Authentication and click Remove.
ii) Select Smart Card Logon and click Remove.
iii) Click OK to close the dialog box.
d. Select Issuance Policies and then click Edit. The Edit Issuance Policies dialog box appears.
i) On the Edit Issuance Policies dialog box, select id-fpki-common-authentication and then click Remove.
ii) Click OK to close the dialog box.
10. Click the Security tab and do the following:
a. Under Permissions for Authenticated Users select to allow Read, Write, and Enroll.
11. Click OK to close the Properties dialog box. The PIV - PIV Content Signer certificate template is added to the list of templates.