Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Certificate Templates not showing up

Posted on 2010-08-31
3
Medium Priority
?
20,991 Views
Last Modified: 2012-05-10
I have an issue when trying to create a new Cert. template in my enviornment.

I have the following:
An offline Root CA running Srv2008 Ent. (ORCA001)
A subordinate Enterprise CA running Server 2008 Ent. (SUBCA001)

If I logon to SUBCA001, open pkiview.msc, open the templates and Duplicate ANY template, I am able to build the template, change values in the template and save the template.
If I wait for replication, I can see the new template on another writeable DC.

However, when I go to http://subca001/certsrv, 'request a certificate', 'advanced certificate request', 'Create and submit a request to this CA' the new template is NOT in the Template Drop-Down list.

Anyone have an idea as to what is going on?

0
Comment
Question by:TexasPlowBoy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33574121
What kind of template do you set up? On enrollment web page you can see only few defined certificates. If it is something out of "standard" you should open mmc console and add "Certificates Template" snap-in and select main node. Then click right mouse button on it and choose "View Objects Identifiers" then find interesting entry and copy or write down OID for you. Run web enrollment page and chose advanced options of new certificate and select "other" type and put particular OID in the box. Then you can approve that certificate in CA console.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 2000 total points
ID: 33650197
Sanity check - did you issue the template to the CA after creating it?  To check, go into the Certification Authorities MMC (certsrv.msc) and check the Certificate Templates folder here (not the Certificate Templates MMC).  If it is not there then right-click the Certificate Templates folder and issue the template(s) that you are looking for.

Next thing to check is permissions on the template itself.  You can right-click the Certificate Templates folder - Manage to open the Certificate Tempaltes MMC (certtmpl.msc) to view the properties to check permissions.  Make sure your account has at least read and enroll rights.  

If we're still looking good, then check the Extensions tab and view the Certificate Template Information listing and see if the Subject Type: listed in the bottom part of the window is Computer or User.  For what you are trying to do you need this to be User.  If it is a Computer template then you need to open the Certificates MMC snap-in under the Local Computer context and request the cert from the Personal - Certificates folder here so that it will use the computer's credentials.

Another thing to check is on the Subject Name tab - you might try selecting to Supply in Request instead of pull from AD if you are using the web page.

You are able to view other templates, correct?  Check to see what OS compatibility is listed in Certificate Templates MMC - it may be that you need to upgrade your AD forest functional level to support the template type (e.g. you need AD forest level to support a 2008 template) - if you are still at 2003 forest then you need to create the template as being 2003 compatible, even if your CA is 2008.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question