Solved

Add a certificate template

Posted on 2004-10-31
467 Views
Last Modified: 2016-03-23
Guys, can you help me out,

I have a single Windows 2003 standard root CA and I would like to duplicate the user certificate (as per MS document (Enterprise Deployment of secure 802.11 networks using Microsoft Windows)) and add it to the store.

I have managed to duplicate it in certificate managment however when I goto the certificates store I cannot see nor add the template to the store for enrollment can anyone advice please

I am trying to create a new certificate for wireless and VPN access

thanks

Robbie
0
Question by:Blackduke77
    14 Comments
     
    LVL 15

    Accepted Solution

    by:
    Creating a New Template for the Autoenrollment of a Smart Card

    To create a new template for autoenrollment of a smart card

    1. Log on as a domain administrator.

    2. Click the Start button, and then click Run.

    3. In the Run dialog box, in the Open box, type mmc.exe, and then click OK.

    4. On the File menu, click Add/Remove Snap-in.

    5. In the Add/Remove Snap-in dialog box, click Add.

    6. In the Add Standalone Snap-in dialog box, click Certificate Templates, and then click Add.

    Note: The Certificate Templates MMC snap-in is available on the Server version of Windows Server 2003 or on Windows XP Professional through the Administration Tools Pack installation on the Server media.

    7. Click Close.

    8. Click OK.

    Note: The Certificate Templates MMC snap-in may also be invoked using the Certification Authority MMC snap-in by selecting the Certificate Templates folder, right-clicking, and then selecting Manage.

    9. In the console tree, click Certificate Templates.

    10. In the details pane, right-click the Smartcard User template, and then click Duplicate Template

    11. In the Template display name field, type a unique name for the template.
    Note: If the Do not automatically reenroll if a duplicate certificate exists in Active Directory is enabled, autoenrollment will not enroll a user for the certificate template, even if a certificate does not exist in the users MY store. Active Directory is queried and determines if the user should be enrolled. This is an extremely valuable feature for users who do not have roaming profiles and log on to multiple machines. Without this setting and without roaming profiles, the user will automatically be enrolled on every machine that is logged on to (including servers).

    12. Click the Request Handling tab.
    This tab is used to define how the certificate request should be processed, including the cryptographic service providers (CSP) and minimum key sizes that will be used by the enrollment template.

    Important: If more than one smart card CSP is made available on this tab, the user may be prompted for every CSP that is selected when enrolling for this template. The behavior may vary depending on the CSPs available on the client machine. If the user has only one smart card, the prompts for the unavailable CSPs will have to be cancelled. This behavior is by design. It is also important to select a minimum key size that is supported by the selected CSP; otherwise, enrollment will fail.

    13. Select the Prompt the user during enrollment check box (Figure 3). (Enrollment for smart card requires user input to succeed.)

    Important: If the certificate template is not going to be used for smart cards or if it is not desired for the user to be prompted to enroll for certificates, this option is not required. Machine certificates should not have this enabled or machine autoenrollment will fail.

    14. Click the Subject Name tab.

    This tab is used to define how the subject name and certificate properties will be built. It is recommended to use the default selections when enrolling for a smart card template.

    15. Click the Extensions tab.

    This tab is used to define how the various extensions will be added to this certificate template during enrollment. It is recommended that you use the default settings.

    Note: Application Policies is a replacement for Extended Key Usage (EKU) in Windows Server 2003, although EKU is still supported for legacy applications and client operating systems.

    16. Click the Security tab.

    This tab is used to define which users or groups may enroll or autoenroll for a certificate template. A user or group must have the Read, Enroll, and Autoenroll permissions to automatically be enrolled for a certificate template.

    17. Click OK when finished.

    For more details go the following link:
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx

    Hope that helped

    Cyber
    0
     
    LVL 1

    Author Comment

    by:Blackduke77
    Thanks for the good answer however this is my problem it is not working, I have done as above and it does duplicate the template but I can not add the template :(

    0
     
    LVL 15

    Expert Comment

    by:Cyber-Dude
    OK
    Now, from the template you just created, you can add it to the organizations' CD or to the Group Policy. There is a step-by-step explaination within the link I provided you.

    Cyber
    0
     
    LVL 1

    Author Comment

    by:Blackduke77
    I understand but when i right click certificates and select certificate template to issue the new template i just created is not shown
    0
     
    LVL 15

    Expert Comment

    by:Cyber-Dude
    Try to open the %SystemRoot%\certcom.log file and see what went wrong there.

    Cyber
    0
     
    LVL 1

    Author Comment

    by:Blackduke77
    hmmm no log there is only edb001.log, edb.chk, edb.log, res.log
    0
     
    LVL 1

    Author Comment

    by:Blackduke77
    what does this mean does this effect me if i am duplicatng the user cert :-

    Although Version 2 templates can be created and duplicated in Windows Server 2003, Standard Edition, certificates based on Version 2 templates can only be issued by a certification authority running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition
    0
     
    LVL 1

    Author Comment

    by:Blackduke77
    I think i need enterprise edition see below :_

    Version 2 certificate templatesWindows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition, certification authorities support two types of certificate templates: version 1 and version 2. Version 2 templates are new to the Windows Server 2003 family. They allow customization of most settings in the template. Several preconfigured version 2 templates are supplied in the default configuration, and more can be added as necessary. This allows complete configuration flexibility for administrators.
    Version 2 templates are only available as part of a certification authority that is installed as an enterprise certification authority. For that reason, they require Active Directory. Although Version 2 templates can be created and duplicated in the Windows Server 2003 family, certificates that are based on Version 2 templates can only be issued by a certification authority that is running Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition.


    Can I upgrade from standard to enterprise edition ?
    0
     
    LVL 15

    Expert Comment

    by:Cyber-Dude
    edb001.log and edb.chk and forth are Exchange log files which are important to the normal operation of the whole system. Can you 'search' for the 'certcom.log' file?

    Cyber
    0
     
    LVL 1

    Author Comment

    by:Blackduke77
    did search for it to no avail
    0
     
    LVL 15

    Expert Comment

    by:Cyber-Dude
    Intresting;
    In an answer to your query; it is possible to upgrade Windows Server 2003 Standard Edition to Enterprize edition though Im not sure what is the benefit from commiting that action.

    I would support the tryout though.

    Cyber
    0
     
    LVL 1

    Author Comment

    by:Blackduke77
    I have decided to try using the standard smart card certificate to see if that would do I would like to create a new CA system with a off line CA ect but can't find any info on it

    migrating a root CA to a off line root CA
                                                  |
                                                  |
                                            issusing CA

    so until i have worked out that one I think it is best to keep the system the same as it is

    Will let you know how this goes
    0
     
    LVL 15

    Expert Comment

    by:Cyber-Dude
    Glad to be updated;

    Cyber
    0
     
    LVL 1

    Author Comment

    by:Blackduke77
    It seems you need 2003 advanced edition to do what we want
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    The Complete Ruby on Rails Developer Course

    Ruby on Rails is one of the most popular web development frameworks, and a useful tool used by both startups and more established companies to build strong graphic user interfaces, and responsive websites and apps.

    So, a cyberiminal’s ultimate goal and motivation has to involve financial gain, right?—not necessarily. There are at least five other motivations behind cybercriminal activities.
    Read about achieving the basic levels of HRIS security in the workplace.
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now