The Extended Validation tab is used by administrators to add an Extended Validation (EV) certificate policy to root certificates that are distributed by Group Policy. Adding the EV certificate policy to root certificates and certificates issued to intranet Web sites provides a visual indicator that a site is trustworthy.

These procedures must be completed to use EV certificates for intranet Web sites.

  1. Add an EV certificate policy to a certificate template.

  2. Add an EV certificate policy to a root certificate.

  3. Issue EV certificates to intranet Web sites.

Adding an EV certificate policy to a certificate template

In addition to the root certificate, the EV certificate policy must also be included in certificates issued to intranet Web sites and all issuing certification authority (CA) certificates in the certification path.

In this procedure, you can modify a certificate template that is used to issue Web server certificates in your organization or any certificate template that meets the following requirements:

  • The certificate template is version 2 or version 3.

  • The certificate purpose includes signature and encryption.

  • The application policy extension includes server authentication.

The issuing CA must meet the following requirements:

  • The certification path of the issuing CA certificate includes a root certificate that includes an EV certificate policy.

  • The issuing CA certificate includes the All Issuance policy or an EV certificate policy.

  • The issuing CA is an enterprise CA.

Enterprise Admins is the minimum group membership required to complete this procedure.

To add an EV certificate policy to a certificate template
  1. On the issuing CA, open Server Manager. In the console tree, expand Roles, expand Active Directory Certificate Services, then click Certificate Templates.

  2. Double-click a template that is used to issue certificates to intranet Web sites.

  3. Click the Extensions tab.

  4. Click Application Policies, and then click Edit to open the Edit Application Policies Extension dialog box.

  5. Click Add to open the Add Application Policy dialog box.

  6. Click New to open the New Application Policy dialog box.

  7. Type a name for the EV certificate policy. The name will be displayed in the extensions of issued certificates and in the template properties in the Certificate Templates snap-in.

  8. A unique object identifier (also known as OID) value is automatically generated. Copy the object identifier value for use in the following procedure. Click OK.

  9. In the Application policies list, select the policy that you created. Click OK.

  10. Click OK to save the application policy extension. On the Extensions tab, verify that the EV certificate policy is displayed in the Description of Application Policies box.

  11. Click the Security tab. Verify that the groups or users who request certificates for intranet Web sites have Read and Enroll permissions.

  12. Click OK to save the certificate template.

  13. In the console tree, double-click the CA.

  14. In the console tree, right-click Certificate Templates, click New, and then click Certificate Template to Issue to open the Enable Certificate Templates dialog box.

  15. Select the certificate template with the EV certificate policy, and click OK.

Adding an EV certificate policy to a root certificate

Enterprise Admins is the minimum group membership required to complete this procedure.

To add an EV certificate policy to a root certificate
  1. Click Start, and then click Run. Type gpmc.msc, and click OK to open the Group Policy Management Console (GPMC).

  2. In the console tree, expand the forest and domain containing the policy that you want to edit, and then click Group Policy Objects.

  3. Right-click the policy that you want to edit, and then click Edit.

  4. In the console tree, under Computer Configuration, expand Policies, Windows Settings, Security Settings, Public Key Policies, and Trusted Root Certification Authorities.

  5. If no root certificates are displayed, export the CA certificate from the root CA, and import the certificate into Trusted Root Certification Authorities. See Export a Certificate.

  6. Right-click the root certificate, click Properties, and then click the Extended Validation tab.

  7. Type an object identifier value that represents the EV certificate policy in your organization. If you created the EV certificate policy by using the previous procedure, use the same object identifier value.

  8. Click Add OID, and then click OK to save changes.

Note

Changes in Group Policy are applied by domain members periodically based on the Group Policy refresh interval, during computer startup, and during user logon. The default refresh interval is 90 minutes. To immediately refresh Group Policy on a domain member, run the Gpupdate command.

Issuing EV certificates

Follow the procedures in these related topics to request and install an EV certificate on your intranet Web server:

Additional references