akdreaming
asked on
Enterprise Certificate Authority Server
Have built a enterprise CA. Setup AD Enrollment Policy for a Web Server. I successfully was able to request 3 certs on a newly build application/web server for my test environment.
Just spun up new applicatioin/web server for my production environment for upcoming large scale application upgrade. When I go to request new certificate on this newly build application server, I'm not getting the Web Server template to show up under the Request Certificates pane. It only shows the "Computer" template which is not what I want.
If I go back out to my TEST server and attempt to request another cert, I can see the Web Server template and corresponding checkbox to select. Why can't I get this to show on my other server? If screen shots help, I can provide. I'm fairly new to certs and how they all work.
My CA server is a Windows 2008R2 domain controller.
Just spun up new applicatioin/web server for my production environment for upcoming large scale application upgrade. When I go to request new certificate on this newly build application server, I'm not getting the Web Server template to show up under the Request Certificates pane. It only shows the "Computer" template which is not what I want.
If I go back out to my TEST server and attempt to request another cert, I can see the Web Server template and corresponding checkbox to select. Why can't I get this to show on my other server? If screen shots help, I can provide. I'm fairly new to certs and how they all work.
My CA server is a Windows 2008R2 domain controller.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
See the attached file. This is comparison of what I'm getting on my PROD server versus what I should be seeing, as on my TEST server.
I have also included a screen shot from the properties tab on my CA server.
Comparison.jpg
Security.jpg
I have also included a screen shot from the properties tab on my CA server.
Comparison.jpg
Security.jpg
Just follow article provided in earlier comment and create duplicate of web server template
In your attached screen shot just navigate to certificate templates folder where you will get web server template
Go to properties of web server template and assign your server that requiring certificate read and enroll permissions and then issue that template and then you can find that while requesting certificate
Check below article how to do that
http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates.aspx
Mahesh
In your attached screen shot just navigate to certificate templates folder where you will get web server template
Go to properties of web server template and assign your server that requiring certificate read and enroll permissions and then issue that template and then you can find that while requesting certificate
Check below article how to do that
http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates.aspx
Mahesh
ASKER
Ok. Can you quickly explain to me the purpose of creating a duplicate cert? Won't the one Web server template I already setup work for multiple cert requests?
It is standard process to duplicate default web server certificate template \ any other template according to your purpose so that original can be used as reference \ template (That is why it is called as template)
If you already have duplicated one, just add required servers security permissions to that certificate template so that you can request certificate countlessly
If you haven't created \ duplicated yet, please do so now
Mahesh
If you already have duplicated one, just add required servers security permissions to that certificate template so that you can request certificate countlessly
If you haven't created \ duplicated yet, please do so now
Mahesh
ASKER
Here is what I previously did. What you are telling me to do seems like more work than I need to do.
1. I created the CA.
2. Created web server template
3. From TEST server, I requested three certs, all via AD Enrollment Policy. Each of these certs was from the web server template.
What I don't quite understand is why I now need to duplicate my template, so I can make additional requests from other servers, based on that web server template. I don't want/need another Web server template. It is built already. Isn't the purpose of the template and AD enrollment policy so servers can request a cert based off that one single Web server template that I have already spent a considerable amount of time on?
Can you attach a screen shot of the Windows security permissions tab so I can truly see what you are referring to? Because I can't find anywhere under properties where I can assign other servers as having permissions. And with this, why did I not have to include security rights for my original TEST server when I requested certificates.
Again, I am new to certs, so I hope you understand all my questions.
1. I created the CA.
2. Created web server template
3. From TEST server, I requested three certs, all via AD Enrollment Policy. Each of these certs was from the web server template.
What I don't quite understand is why I now need to duplicate my template, so I can make additional requests from other servers, based on that web server template. I don't want/need another Web server template. It is built already. Isn't the purpose of the template and AD enrollment policy so servers can request a cert based off that one single Web server template that I have already spent a considerable amount of time on?
Can you attach a screen shot of the Windows security permissions tab so I can truly see what you are referring to? Because I can't find anywhere under properties where I can assign other servers as having permissions. And with this, why did I not have to include security rights for my original TEST server when I requested certificates.
Again, I am new to certs, so I hope you understand all my questions.
ASKER
Ok, I have this figured out. What was getting me was duplicating the already created web server template. I have already done that, and configured this Web Server template per specs from 3rd party vendor application requirements.
So, I went into properties of existing Web Server template as you stated, Security tab, and then added the actual computer....not the user, but the actual computer account for my PROD application server. Already listed in here were Authenticated Users, Domain Admins, Enterprise Admins, and another account named "SOA-SAFAPP_TEST$". I'm very confused on where this account came from. It was NOT created by me, but yet it is showing up in here. I have attached screen shot of how things look. Is this wrong? Should I not be adding in single computer accounts here? I'm a domain admin, so why wouldn't it work since domain admin is already listed there? Only after I added the computer account do things look like they are going to work.
Security-Tab.jpg
So, I went into properties of existing Web Server template as you stated, Security tab, and then added the actual computer....not the user, but the actual computer account for my PROD application server. Already listed in here were Authenticated Users, Domain Admins, Enterprise Admins, and another account named "SOA-SAFAPP_TEST$". I'm very confused on where this account came from. It was NOT created by me, but yet it is showing up in here. I have attached screen shot of how things look. Is this wrong? Should I not be adding in single computer accounts here? I'm a domain admin, so why wouldn't it work since domain admin is already listed there? Only after I added the computer account do things look like they are going to work.
Security-Tab.jpg
On certificate templates folder right click and click manage, now go to any template properties \ security tab
Its already shown in link in my previous comment
Please read post carefully, there are some steps you need to do which are mentioned in that post related to duplicating template
Please do not use existing template, create duplicate and use that
If you modify existing template permissions in wrong way, you will lose that template completely, that is why its advisable to duplicate template
This is MS best practise
Mahesh
Its already shown in link in my previous comment
Please read post carefully, there are some steps you need to do which are mentioned in that post related to duplicating template
Please do not use existing template, create duplicate and use that
If you modify existing template permissions in wrong way, you will lose that template completely, that is why its advisable to duplicate template
This is MS best practise
Mahesh
ASKER
Solid feedback. Although I did not create a duplicate cert per the instructions which we obtained from a 3rd party vendor when setting up this application server. It may be best practice, but I chose to follow the 3rd party vendor instructions. I guess if we have to change the cert template, then we will have to make the changes, and then request new certs.
If you have purchased certificate from 3rd party vendor, then there is no question of duplicating certificate template
Certificate templates are only used BY Microsoft based AD integrated internal CA server.
Certificate templates are only used BY Microsoft based AD integrated internal CA server.
ASKER
We have our own AD integrated internal CA server. I created Web Server template and issues certs directly from template.
Ok got that
if you wanted to change default template properties in future, then you would go for template duplication
That's right
Mahesh.
if you wanted to change default template properties in future, then you would go for template duplication
That's right
Mahesh.
ASKER