A certificate enables the subject to perform a specific task. To help control the usage of a certificate outside its intended purpose, restrictions are automatically placed on certificates. These restrictions can be applied by using the key usage extension.

Key usage is a restriction method that determines what a certificate can be used for. This allows the administrator to issue certificates that can only be used for specific tasks or certificates that be used for a broad range of functions. Key usage descriptions include "Digital signature" and "Allow key exchange only with key encryption."

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To modify key usage
  1. Open the Certificate Templates snap-in.

  2. In the details pane, right-click the certificate template that you want to change, and then click Properties.

  3. On the Extensions tab, click Key Usage, and then click Edit.

  4. Select the key usage options that you want to add or remove, and then click OK twice.


    Not all key usage options can be modified on all certificate templates.

Certificate usage can also be managed by using the application policy extension. For more information, see Application Policy.

Additional references