• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 24261
  • Last Modified:

Certificate Templates not showing up

I have an issue when trying to create a new Cert. template in my enviornment.

I have the following:
An offline Root CA running Srv2008 Ent. (ORCA001)
A subordinate Enterprise CA running Server 2008 Ent. (SUBCA001)

If I logon to SUBCA001, open pkiview.msc, open the templates and Duplicate ANY template, I am able to build the template, change values in the template and save the template.
If I wait for replication, I can see the new template on another writeable DC.

However, when I go to http://subca001/certsrv, 'request a certificate', 'advanced certificate request', 'Create and submit a request to this CA' the new template is NOT in the Template Drop-Down list.

Anyone have an idea as to what is going on?

0
TexasPlowBoy
Asked:
TexasPlowBoy
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
What kind of template do you set up? On enrollment web page you can see only few defined certificates. If it is something out of "standard" you should open mmc console and add "Certificates Template" snap-in and select main node. Then click right mouse button on it and choose "View Objects Identifiers" then find interesting entry and copy or write down OID for you. Run web enrollment page and chose advanced options of new certificate and select "other" type and put particular OID in the box. Then you can approve that certificate in CA console.
0
 
ParanormasticCryptographic EngineerCommented:
Sanity check - did you issue the template to the CA after creating it?  To check, go into the Certification Authorities MMC (certsrv.msc) and check the Certificate Templates folder here (not the Certificate Templates MMC).  If it is not there then right-click the Certificate Templates folder and issue the template(s) that you are looking for.

Next thing to check is permissions on the template itself.  You can right-click the Certificate Templates folder - Manage to open the Certificate Tempaltes MMC (certtmpl.msc) to view the properties to check permissions.  Make sure your account has at least read and enroll rights.  

If we're still looking good, then check the Extensions tab and view the Certificate Template Information listing and see if the Subject Type: listed in the bottom part of the window is Computer or User.  For what you are trying to do you need this to be User.  If it is a Computer template then you need to open the Certificates MMC snap-in under the Local Computer context and request the cert from the Personal - Certificates folder here so that it will use the computer's credentials.

Another thing to check is on the Subject Name tab - you might try selecting to Supply in Request instead of pull from AD if you are using the web page.

You are able to view other templates, correct?  Check to see what OS compatibility is listed in Certificate Templates MMC - it may be that you need to upgrade your AD forest functional level to support the template type (e.g. you need AD forest level to support a 2008 template) - if you are still at 2003 forest then you need to create the template as being 2003 compatible, even if your CA is 2008.
1

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now