Solved

Custom Template not listed on the Certification Authority 's Enable Certificate Templates

Posted on 2004-08-25
15
3,215 Views
Last Modified: 2012-08-14
Hi ppl:

I'm having a bit of a problem with my Enterprise Certification Authority(CA). I was following the instructions found on:
http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm but I'm stuck on the part where I'm going to add the newly created template to the Certification Authority. When I do the "Certificate Template to issue" command that brings up the Enable Certificate Template dialog, the template is not there. I read that time must be allowed for the object to replicate through AD, I gave the server about 9 hours for it to replicate and still wasn't there. I also checked the domain replication with the ADSIEdit MMC Snap-in on the three DC's and the template was replicated as supposed. All DC's are Windows 2003 Server Standard Edition.

Pleaseeeeee?

Thanks,
Virgilio
0
Comment
Question by:vmelendez
  • 5
  • 4
  • 2
  • +1
15 Comments
 
LVL 4

Expert Comment

by:ehammersley
Comment Utility
When you duplicate the "User" template as per your doc it will create a v2 template for issue.  Windows 2003 Server Standard cannot and will not issue duplicated v2 certs.  That's why you don't see the template in the list for Certs to issue.  You can verify this by checking the Minimum Support CAs column in the Certificate Template snap-in, it will like Windows 2003 Server, Enterprise Edition.
0
 
LVL 4

Expert Comment

by:ehammersley
Comment Utility
it will like... sorry about that.

Your newly created template will state Windows 2003 Server, Enterprise Edition in the Min. Supported CAs column.  I'm not sure what the point was of Microsoft limiting Standard edition like this but they did.
0
 

Author Comment

by:vmelendez
Comment Utility
Whew!!
Is there any way that I could replicate the User Template with lower Minimum Support CA's? (eg. Windows 2000)? I read that     " Although Version 2 templates can be created and duplicated in Windows Server 2003, Standard Edition, certificates based on Version 2 templates can only be issued by a certification authority running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition."


Right now, the certificate template shows a 101.1 with autoenroll capabilities, FYI

Thanks again
0
 
LVL 4

Accepted Solution

by:
ehammersley earned 500 total points
Comment Utility
Whew is right... the documentation is a circus.  Unless the whew was meant for me.  :-)

Basically the article from isasserver.org is walking you through configuring the certificate for autoenrollment.  The problem is that 2003 Standard CA only supports v1 certs, and v1 certs do NOT support autoenrollment.  Autoenrollment and autorenewal are new features of 2003, it wasn't possible to autoenroll user certificates in 2000 server, only computer and EFS.

Where the isaserver.org article fails in my opinion is that they do not tell you that what they are doing is only supported on Enterprise.

There is no way that I'm aware of to duplicate a v1 template in 2003 Standard and keep it at v1.  It's a pain but you will probably just have to manually issue certs for L2TP/IPSec.

Check out this link for more reading on v1 and v2 certs and 2003 Standard vs. Enterprise.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ctcon_concepts_using.asp
0
 
LVL 1

Expert Comment

by:Blackduke77
Comment Utility
ehammersley is correct on availible on enterprise edition I found out the hard way
0
 
LVL 1

Expert Comment

by:Blackduke77
Comment Utility
Version 2 certificate templatesWindows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities support two types of certificate templates: version 1 and version 2. Version 2 templates are new to the Windows Server 2003 family. They allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators.
Version 2 templates are only available as part of a certification authority that is installed as an enterprise certification authority. For that reason, they require Active Directory. Although Version 2 templates can be created and duplicated in the Windows Server 2003 family, certificates that are based on Version 2 templates can only be issued by a certification authority that is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Expert Comment

by:Blackduke77
Comment Utility
Can I ask why delete as there are two valid answers here !!!!, where both are correct
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
I am yet to recommend anything yet. The post is for you to suggest what you think is a valid answer. State your case, I will then make a recommendation and a mod will then action it.

Just saying "there are two valid answers" doesn't help me at all.

0
 
LVL 1

Expert Comment

by:Blackduke77
Comment Utility
Well in that case then ehammersley  was the first correct answer
0
 
LVL 15

Expert Comment

by:harleyjd
Comment Utility
thanks - in a few days I will make a formal recommendation, unless there are any other expert comments.

0
 
LVL 4

Expert Comment

by:ehammersley
Comment Utility
I just re-read this myself and I agree with Blackduke77.  Thanks for speaking up on this BD77, I appreciate that.
0
 
LVL 1

Expert Comment

by:Blackduke77
Comment Utility
NP Glad to do my bit
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now