•
Typically the RA will have a longer period (same as that of the CA certificate).
•
The default template used for RA to be enrolled to the SCP server is IPSECIntermediateOffline as highlighted above.
•
Make sure a correct template is set to the above registries before enrolling the RA to the SCEP server.
•
After the Cisco RA is enrolled to the SCEP server, admin needs to change the template in the registry (if the user
certificate period needs to be shorter than that of the root CA).
•
Right click Certificate Templates then select Manage.
•
Right click User template then select Duplicate Template.
•
Select Windows Server 2003 2008 Template.
•
Under the General tab, change template name and validity period.
•
Under the Extensions tab, ensure the following:
•
Client Authentication is set as one of the application policies
•
Key Usage has Digital Signature attribute
Cisco IP Phone 8861 and 8865 Wireless LAN Deployment Guide
164