SYPTE-IT
asked on
Certificate template not creating certificate
I am attempting to set up EAP-TLS authentication for our wireless LAN
I am following the instructions in Securing Wireless LANs with Certificate Services Build Guide.pdf (part of Securing_Wireless_LANs_wit
I have got as far as page 110 (116 of the pdf) Verifying IAS Server Certificate Deployment and am stuck.
The RAS and IAS Server Authentication template that I have created doesn't seem to want to create a certificate to appear in the Certificates (Local Computer), Personal, Certificates store. I have rebooted the server and also waited a day which is easliy long enough for any replication.
Any ideas?
I am following the instructions in Securing Wireless LANs with Certificate Services Build Guide.pdf (part of Securing_Wireless_LANs_wit
I have got as far as page 110 (116 of the pdf) Verifying IAS Server Certificate Deployment and am stuck.
The RAS and IAS Server Authentication template that I have created doesn't seem to want to create a certificate to appear in the Certificates (Local Computer), Personal, Certificates store. I have rebooted the server and also waited a day which is easliy long enough for any replication.
Any ideas?
ASKER
thanks, I'll check these points and report back
ASKER
1. After creating the new template, was this issued to the CA? Double check certificate templates folder in the CA MMC.
Yes, all three new templates are in this folder including the one in question
2. Check permissions on the template in Certificate Templates MMC to make sure the workstation group is allowed for read, enroll, autoenroll permissions.
The workstation group doesn't have these permissions. I've added them but I'm not certain why they should be needed, the impression that I got was that only the Certificate Authority server needed these permissions on this particuler template. (which it did have)
3. Is your AD functional level at least 2003?
Yes
4. Are there any pending requests or failed requests on the CA that match the template?
No
5. Check the event logs on the requesting server/client.
Can't find anything
6. Do the clients have the root certificate in their trusted root store as showing in Certificates MMC (Local Computer), Trusted Root Certification Authorities?
I think so. If the root certificate is what shows as the next tree level down from Certificate Authority (Local) in the Certificate Authority MMC snap-in then yes.
7. Can the clients access at least one CDP? Is the CRL still current/valid?
Not sure what you mean by CDP? Assuming CRL is certificate revocation list, yes
ASKER
I've just discovered that I can manually Request New Certificate on the IAS server and get it correctly, but the instructions imply it should be recieved automatically, by Autoenrollment.
#2 - the permissions apply to the certificate enrolee, not the CA. If the CA server has permissions, then it would be allowed to issue itself a cert under that template. When you install the template to the certificate templates folder, that gives the CA the permissions it needs to issue. The recipient needs to have the correct permissions to request the cert.
#6 - not quite sure that you are looking at the correct thing here. MMC - Add snapin - Certificates - Computer account - Local Computer - finish the wizard and close the adding list. If you expand Certificates (Local Computer), it would normally be the 2nd sub-listing "Trusted Root Certification Authority" (often you may need to click n drag the divider bar to the right to view the whole name) - if you expand that then select Certificates sub-listing, then your root cert should show in the right side (details pane).
#7 - CDP is "CRL Distribution Point" - this is listed on the Details tab as "CRL Distribution Point" if selected, the white box at the bottom of that window will show the specified locations. This can also be view within the Certification Authorities MMC if you opent the properties of CAName (the name you call the CA role itself, not the CA's DNS server name), on the Extensions tab. This method may look a bit strange this way as it is common to have variables assigned in the CA extensions tab. Note that the root cert should not normally display a CDP, the root's CDP configuration will be reflected in the 2nd tier CA's CDP (if you have a 2nd tier subordinate CA), etc. The issued certificate's CDP will reflect the CDP of the CA that issued it (the subordinate CA, or if issued directly from the root it would be the root's CDP).
#6 - not quite sure that you are looking at the correct thing here. MMC - Add snapin - Certificates - Computer account - Local Computer - finish the wizard and close the adding list. If you expand Certificates (Local Computer), it would normally be the 2nd sub-listing "Trusted Root Certification Authority" (often you may need to click n drag the divider bar to the right to view the whole name) - if you expand that then select Certificates sub-listing, then your root cert should show in the right side (details pane).
#7 - CDP is "CRL Distribution Point" - this is listed on the Details tab as "CRL Distribution Point" if selected, the white box at the bottom of that window will show the specified locations. This can also be view within the Certification Authorities MMC if you opent the properties of CAName (the name you call the CA role itself, not the CA's DNS server name), on the Extensions tab. This method may look a bit strange this way as it is common to have variables assigned in the CA extensions tab. Note that the root cert should not normally display a CDP, the root's CDP configuration will be reflected in the 2nd tier CA's CDP (if you have a 2nd tier subordinate CA), etc. The issued certificate's CDP will reflect the CDP of the CA that issued it (the subordinate CA, or if issued directly from the root it would be the root's CDP).
You might also want to check group policy (GPO) in the following area:
Default Domain Policy/Computer Configuration/Windows Settings/Security Settings/Public Key Policies.
There you will find the location to put your root CA certificate to deploy to the domain members. You will also find the autoenrollment section for configuring a couple things for that. Note that Automatic Certificate Request Settings (ACRS) is legacy for windows 2000 environment, normally there is not a need to use that anymore with xp/2003 and newer.
Default Domain Policy/Computer Configuration/Windows Settings/Security Settings/Public Key Policies.
There you will find the location to put your root CA certificate to deploy to the domain members. You will also find the autoenrollment section for configuring a couple things for that. Note that Automatic Certificate Request Settings (ACRS) is legacy for windows 2000 environment, normally there is not a need to use that anymore with xp/2003 and newer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had written answers to all your pointers, but EE seems to have lost them!
However I checked everything you suggested and they were already set as you say they should be. As I don't want to have to manually request/re-enroll the certificate when it runs out I thought I would do as you suggest and delete the manually requested/enrolled certificate and run certutil -pulse. For some reason this now seems to have worked, the certificate has re-appeared, presumably autoenrolled!
So, I'm not certain what I have done to fix the issue, but it seems to have worked. Any ideas what has made the difference so I can give accepted answer to your right one?
However I checked everything you suggested and they were already set as you say they should be. As I don't want to have to manually request/re-enroll the certificate when it runs out I thought I would do as you suggest and delete the manually requested/enrolled certificate and run certutil -pulse. For some reason this now seems to have worked, the certificate has re-appeared, presumably autoenrolled!
So, I'm not certain what I have done to fix the issue, but it seems to have worked. Any ideas what has made the difference so I can give accepted answer to your right one?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks
2. Check permissions on the template in Certificate Templates MMC to make sure the workstation group is allowed for read, enroll, autoenroll permissions.
3. Is your AD functional level at least 2003?
4. Are there any pending requests or failed requests on the CA that match the template?
5. Check the event logs on the requesting server/client.
6. Do the clients have the root certificate in their trusted root store as showing in Certificates MMC (Local Computer), Trusted Root Certification Authorities?
7. Can the clients access at least one CDP? Is the CRL still current/valid?