Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Add a certificate template

Posted on 2004-10-31
14
Medium Priority
?
496 Views
Last Modified: 2016-03-23
Guys, can you help me out,

I have a single Windows 2003 standard root CA and I would like to duplicate the user certificate (as per MS document (Enterprise Deployment of secure 802.11 networks using Microsoft Windows)) and add it to the store.

I have managed to duplicate it in certificate managment however when I goto the certificates store I cannot see nor add the template to the store for enrollment can anyone advice please

I am trying to create a new certificate for wireless and VPN access

thanks

Robbie
0
Comment
Question by:Blackduke77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 15

Accepted Solution

by:
Cyber-Dude earned 2000 total points
ID: 12461228
Creating a New Template for the Autoenrollment of a Smart Card

To create a new template for autoenrollment of a smart card

1. Log on as a domain administrator.

2. Click the Start button, and then click Run.

3. In the Run dialog box, in the Open box, type mmc.exe, and then click OK.

4. On the File menu, click Add/Remove Snap-in.

5. In the Add/Remove Snap-in dialog box, click Add.

6. In the Add Standalone Snap-in dialog box, click Certificate Templates, and then click Add.

Note: The Certificate Templates MMC snap-in is available on the Server version of Windows Server 2003 or on Windows XP Professional through the Administration Tools Pack installation on the Server media.

7. Click Close.

8. Click OK.

Note: The Certificate Templates MMC snap-in may also be invoked using the Certification Authority MMC snap-in by selecting the Certificate Templates folder, right-clicking, and then selecting Manage.

9. In the console tree, click Certificate Templates.

10. In the details pane, right-click the Smartcard User template, and then click Duplicate Template

11. In the Template display name field, type a unique name for the template.
Note: If the Do not automatically reenroll if a duplicate certificate exists in Active Directory is enabled, autoenrollment will not enroll a user for the certificate template, even if a certificate does not exist in the users MY store. Active Directory is queried and determines if the user should be enrolled. This is an extremely valuable feature for users who do not have roaming profiles and log on to multiple machines. Without this setting and without roaming profiles, the user will automatically be enrolled on every machine that is logged on to (including servers).

12. Click the Request Handling tab.
This tab is used to define how the certificate request should be processed, including the cryptographic service providers (CSP) and minimum key sizes that will be used by the enrollment template.

Important: If more than one smart card CSP is made available on this tab, the user may be prompted for every CSP that is selected when enrolling for this template. The behavior may vary depending on the CSPs available on the client machine. If the user has only one smart card, the prompts for the unavailable CSPs will have to be cancelled. This behavior is by design. It is also important to select a minimum key size that is supported by the selected CSP; otherwise, enrollment will fail.

13. Select the Prompt the user during enrollment check box (Figure 3). (Enrollment for smart card requires user input to succeed.)

Important: If the certificate template is not going to be used for smart cards or if it is not desired for the user to be prompted to enroll for certificates, this option is not required. Machine certificates should not have this enabled or machine autoenrollment will fail.

14. Click the Subject Name tab.

This tab is used to define how the subject name and certificate properties will be built. It is recommended to use the default selections when enrolling for a smart card template.

15. Click the Extensions tab.

This tab is used to define how the various extensions will be added to this certificate template during enrollment. It is recommended that you use the default settings.

Note: Application Policies is a replacement for Extended Key Usage (EKU) in Windows Server 2003, although EKU is still supported for legacy applications and client operating systems.

16. Click the Security tab.

This tab is used to define which users or groups may enroll or autoenroll for a certificate template. A user or group must have the Read, Enroll, and Autoenroll permissions to automatically be enrolled for a certificate template.

17. Click OK when finished.

For more details go the following link:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

Hope that helped

Cyber
0
 
LVL 1

Author Comment

by:Blackduke77
ID: 12461493
Thanks for the good answer however this is my problem it is not working, I have done as above and it does duplicate the template but I can not add the template :(

0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12461523
OK
Now, from the template you just created, you can add it to the organizations' CD or to the Group Policy. There is a step-by-step explaination within the link I provided you.

Cyber
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:Blackduke77
ID: 12461567
I understand but when i right click certificates and select certificate template to issue the new template i just created is not shown
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12461617
Try to open the %SystemRoot%\certcom.log file and see what went wrong there.

Cyber
0
 
LVL 1

Author Comment

by:Blackduke77
ID: 12461656
hmmm no log there is only edb001.log, edb.chk, edb.log, res.log
0
 
LVL 1

Author Comment

by:Blackduke77
ID: 12461745
what does this mean does this effect me if i am duplicatng the user cert :-

Although Version 2 templates can be created and duplicated in Windows Server 2003, Standard Edition, certificates based on Version 2 templates can only be issued by a certification authority running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition
0
 
LVL 1

Author Comment

by:Blackduke77
ID: 12461757
I think i need enterprise edition see below :_

Version 2 certificate templatesWindows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities support two types of certificate templates: version 1 and version 2. Version 2 templates are new to the Windows Server 2003 family. They allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators.
Version 2 templates are only available as part of a certification authority that is installed as an enterprise certification authority. For that reason, they require Active Directory. Although Version 2 templates can be created and duplicated in the Windows Server 2003 family, certificates that are based on Version 2 templates can only be issued by a certification authority that is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition.


Can I upgrade from standard to enterprise edition ?
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12461877
edb001.log and edb.chk and forth are Exchange log files which are important to the normal operation of the whole system. Can you 'search' for the 'certcom.log' file?

Cyber
0
 
LVL 1

Author Comment

by:Blackduke77
ID: 12461914
did search for it to no avail
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12461954
Intresting;
In an answer to your query; it is possible to upgrade Windows Server 2003 Standard Edition to Enterprize edition though Im not sure what is the benefit from commiting that action.

I would support the tryout though.

Cyber
0
 
LVL 1

Author Comment

by:Blackduke77
ID: 12462087
I have decided to try using the standard smart card certificate to see if that would do I would like to create a new CA system with a off line CA ect but can't find any info on it

migrating a root CA to a off line root CA
                                              |
                                              |
                                        issusing CA

so until i have worked out that one I think it is best to keep the system the same as it is

Will let you know how this goes
0
 
LVL 15

Expert Comment

by:Cyber-Dude
ID: 12462621
Glad to be updated;

Cyber
0
 
LVL 1

Author Comment

by:Blackduke77
ID: 12687205
It seems you need 2003 advanced edition to do what we want
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question