Solved

Certificate Templates not showing up

Posted on 2010-08-31
3
16,398 Views
Last Modified: 2012-05-10
I have an issue when trying to create a new Cert. template in my enviornment.

I have the following:
An offline Root CA running Srv2008 Ent. (ORCA001)
A subordinate Enterprise CA running Server 2008 Ent. (SUBCA001)

If I logon to SUBCA001, open pkiview.msc, open the templates and Duplicate ANY template, I am able to build the template, change values in the template and save the template.
If I wait for replication, I can see the new template on another writeable DC.

However, when I go to http://subca001/certsrv, 'request a certificate', 'advanced certificate request', 'Create and submit a request to this CA' the new template is NOT in the Template Drop-Down list.

Anyone have an idea as to what is going on?

0
Comment
Question by:TexasPlowBoy
3 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33574121
What kind of template do you set up? On enrollment web page you can see only few defined certificates. If it is something out of "standard" you should open mmc console and add "Certificates Template" snap-in and select main node. Then click right mouse button on it and choose "View Objects Identifiers" then find interesting entry and copy or write down OID for you. Run web enrollment page and chose advanced options of new certificate and select "other" type and put particular OID in the box. Then you can approve that certificate in CA console.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 33650197
Sanity check - did you issue the template to the CA after creating it?  To check, go into the Certification Authorities MMC (certsrv.msc) and check the Certificate Templates folder here (not the Certificate Templates MMC).  If it is not there then right-click the Certificate Templates folder and issue the template(s) that you are looking for.

Next thing to check is permissions on the template itself.  You can right-click the Certificate Templates folder - Manage to open the Certificate Tempaltes MMC (certtmpl.msc) to view the properties to check permissions.  Make sure your account has at least read and enroll rights.  

If we're still looking good, then check the Extensions tab and view the Certificate Template Information listing and see if the Subject Type: listed in the bottom part of the window is Computer or User.  For what you are trying to do you need this to be User.  If it is a Computer template then you need to open the Certificates MMC snap-in under the Local Computer context and request the cert from the Personal - Certificates folder here so that it will use the computer's credentials.

Another thing to check is on the Subject Name tab - you might try selecting to Supply in Request instead of pull from AD if you are using the web page.

You are able to view other templates, correct?  Check to see what OS compatibility is listed in Certificate Templates MMC - it may be that you need to upgrade your AD forest functional level to support the template type (e.g. you need AD forest level to support a 2008 template) - if you are still at 2003 forest then you need to create the template as being 2003 compatible, even if your CA is 2008.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question