1. On the Microsoft CA machine, go to Start > Windows Administrative Tools > Certification Authority.
2. Click your certification authority to expand the root folder.
3. Right-click Certificate Templates, and then select Manage. The Certificate Templates Console appears.
4. Scroll the template list, right-click the PIV - PIV Authentication template and select Duplicate Template. The Properties of New Template dialog box appears.
5. Click the General tab, and configure the following settings:
a. In the Template display name field, enter PIV - Key Management. The Template name field is filled in automatically with the template display name (with no spaces).
b. Select Publish certificate in Active Directory.
6. Click the Request Handling tab, and do the following:
a. From the Purpose drop-down list, select Encryption.
When asked to confirm the change, click Yes.
b. Optional. If you want the key to be archived and available for recovery, select Archive the subject's private key.
7. Click the Extensions tab.
8. Select Application Policies, and then click Edit. The Edit Application Policies Extension dialog box appears.
9. Add the Secure Email policy to the list of application policies, as follows:
a. On the Edit Application Policies Extension dialog box, click Add. The Add Application Policy dialog box appears.
b. Scroll the Application policies list and select Secure Email, and then click OK.
10. On the Edit Application Policies Extension dialog box, remove the application policies that are not required.
a. Select Any Purpose and click Remove.
b. Select Client Authentication and click Remove.
c. Select Smart Card Logon and click Remove.
d. Click OK to close the dialog box.
11. In the Extensions tab, select Issuance Policies and then click Edit. The Edit Issuance Policies dialog box appears.
12. On the Edit Issuance Policies dialog box, select id-fpki-common-authentication and then click Remove.
13. Click OK to close the dialog box.
14. If you selected to Publish certificate in Active Directory, do the following:
a. Click the Issuance Requirements tab.
b. Select The number of authorized signatures and enter 1 in the text box.
c. From the Policy type required in signature drop-down list, select Application policy.
d. From the Application policy drop-down list, select Certificate Request Agent.
15. Click OK to close the Properties dialog box.
The PIV - Key Management certificate template is added to the list of templates.