Aqui está a solução real.
To describle the process of duplicating the template and issuing the certificate more clearly, I would like to provide a more precise action plan as following.
On CA, create a duplicate of the "RAS and IAS Server certificate template". Type RAS and IAS Server Authentication into the Template display name field on the General tab of the new template's properties.
On the Extensions tab, ensure that the application policies only include Server Authentication (OID 1.3.6.1.5.5.7.3.1).
Also on the Extensions tab, edit the Issuance policies and add the Medium Assurance policy.
On the Subject Name tab, select Build from this Active Directory information. Also, ensure that Subject name format is set to Common name and that only DNS anme is selected under include this information in subject alternative name.
On the Request Handing tab, click the CSPs button, ensure that Request must use one of the following CSPs is selected, and that only the Microsoft RSA SChannel Cryptographic Provider is selected.
On the Security tab, add the AutoEnroll RAS and IAS Server Authentication Certificate security group with Read, Enroll, and Autoenroll permissions.
Add certificate templates to the CA.
From the Certification Authority MMC snap-in, right-click the Certificate Templates folder, select New and then Certificate Template to Issue. Selectthe following certificates, and then click OK.
"RAS and IAS Server Authentication"
Log on to the IAS server as a member of the local Administrators group.
Open the MMC, and then add the Certificates snap-in. When prompted, select the Computer account option, and then select Local Computer.
Select Certificates (Local Computer) from the console tree, select All Tasks from the Action menu, and then click Automatically Enroll Certificates