Cannot Create IPSEC Certificates using Windows Server 2000 Certificate Authority

Posted on 2007-08-08
Last Modified: 2009-06-14
I am trying to set create certificates for an IPSEC enabled VPN using a Windows 2000 server with Microsoft's CA. I have set up the CertSrv services and can successfully get an "Basic EFS" or "User" certificate through the web based certificate services "http://servername/CertSrv" (request certificate->advanced request ->Submit a certificate request using ...." . .  The problem is that the certificate template  type "IPSEC" does not show in the list of Certificate Templates.  Only "Basic EFS" or "User".

I checked the CA configuration and there is a profile for IPSEC enabled, but it still does not show up in the list.
Question by:vrobison
    LVL 4

    Expert Comment

    There are usually three reasons why a certificate template won't appear in either the MMC enrollment wizard or the web-based enrollment page:
    1. The CA to which the user/computer has access doesn't have the cert template in its list of published cert templates.  [Sounds like you've already confirmed this requirement.]
    2. The cert template doesn't allow "Read" and "Enroll" permissions for the user/computer who is the enrollment client of interest.  [This is the one that usually bites me on the butt.]
    3. The cert template just simply not allowed to issue to a user (it's a computer-only cert template).  I don't remember exactly what kind of cert template this describes, but I remember fighting for a few weeks to get some scenario to work, and finally gave up when I was told that the CA simply wouldn't allow the user account to enroll that type of cert.  [I don't think the basic IPSEC cert template is one of these "special" templates, but keep that in mind if we can't fix it any other way.  I *think* this just applies to the legacy "version 1" certificate templates, that aren't editable, where the Subject Name tab has "Computer or other device" selected under "Type of subject".]

    To enable #2, you should take the following steps:
    1. Start the Active Directory Sites and Services console.
    2. Under the View menu, toggle "Show Services Node".  [This hides some really useful functionality, so I don't understand why Microsoft decided to hide this.]
    3. Browse into Services > Public Key Services > Certificate Templates and you'll see all the possible cert templates that could be published by CAs in your AD forest.
    4. Right-click the cert template of interest (in your case, the one labelled IPSEC), and look at the Security tab.
    5. Look at the groups currently listed.  For any group that the intended user is a member of, do they have Read and Enroll permissions?  If not, is the user a member of any set of groups that *in aggregate* have Read and Enroll permissions?  [The Allow permissions are cumulative, so it's not *necessary* to grant *both* Read and Enroll to a single group.]
    6. If not, then all you have left to do is decide which way you'll assign permissions: will you add the user to one of the listed groups (or one of the groups nested in those groups), or will you create a new AD group, add the user (and others) and assign Read/Enroll/Autoenroll permissions to that group?

    Hope this helps.  Please report back on how your investigation goes.
    LVL 4

    Accepted Solution

    Y'know, I noticed this question still hasn't been closed so I took another look at it, and it looks like I screwed up my earlier answer.

    Now that I'm thinking about this problem tonight, I realize that the IPSEC digital certificate will only be able to be enrolled by Computers, not Users.  However, the web enrollment pages are only intended for Users, not Computers.  Not only are you authenticating as a User (that probably doesn't have specific permissions to the IPSEC certificate), but I believe that CertSrv (or something in the web enrollment pages) will actually deny any attempts to enroll a Computer-oriented certificate like the default IPSEC certificate.

    Instead, I'd try using the Certificates Snap-in and try manually enrolling the computer for this certificate from there:
    - connect the Windows computer to the network so you're sure it has connectivity to the CA.
    - logon to the computer as an account that is an administrator of the computer
    - click the Start button, choose Run, then type "MMC.EXE".  
    - File > Add/Remove Snap-in > Add > Certificates
    - When it asks, choose "Computer account"
    - choose Next, Finish, then Close, then OK
    - browse "Certificates (Local Computer)", Personal, Certificates
    - right-click the Certificates folder, choose "All Tasks", then "Request New Certificate".
    - follow the wizard, then wait to see if you're successful with the enrollment request.

    If this manual enrollment using the Certificates snap-in works, then Autoenrollment should work fine for any Computer that's a member of the domain.

    Also note: in a multi-domain forest, the permissions on the Certificate Templates often have to be updated to allow all Computers or Users from additional domains to be able to enroll MS CA-generated certificates.  That's because when Windows installs the CA on a server, it'll configure the default permissions with domain groups from the domain where the server is a member.  However, it's not smart enough to automatically find all other trusted domains and ALSO add permissions for the same domain groups from other domains in the forest.  This is something you'd have to do by hand, and while nothing in your message indicates this might be the cause, it's one more thing to look for.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
    Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now