Solved

Enterprise Certificate Authority Server

Posted on 2014-03-27
13
265 Views
Last Modified: 2014-03-31
Have built a enterprise CA.  Setup AD Enrollment Policy for a Web Server.  I successfully was able to request 3 certs on a newly build application/web server for my test environment.  

Just spun up new applicatioin/web server for my production environment for upcoming large scale application upgrade.  When I go to request new certificate on this newly build application server, I'm not getting the Web Server template to show up under the Request Certificates pane.  It only shows the "Computer" template which is not what I want.

If I go back out to my TEST server and attempt to request another cert, I can see the Web Server template and corresponding checkbox to select.  Why can't I get this to show on my other server?  If screen shots help, I can provide.  I'm fairly new to certs and how they all work.  

My CA server is a Windows 2008R2 domain controller.
0
Comment
Question by:akdreaming
  • 7
  • 6
13 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39961424
Please check properties \ security tab of respective Web server template on CA server that required production web server has granted read and enroll certificate security permissions ?

Please provide that if not provided already and then run below command on CA server and web server as well
certutil -pulse
Then close all open windows \ IE sessions and check again if you are able to view new cert on request page

Check below article for how to add security permissions
http://technet.microsoft.com/en-us/library/ee649187(v=ws.10).aspx

Mahesh.
0
 

Author Comment

by:akdreaming
ID: 39962373
I'll give it a try.
0
 

Author Comment

by:akdreaming
ID: 39962805
See the attached file.  This is comparison of what I'm getting on my PROD server versus what I should be seeing, as on my TEST server.

I have also included a screen shot from the properties tab on my CA server.
Comparison.jpg
Security.jpg
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39962819
Just follow article provided in earlier comment and create duplicate of web server template

In your attached screen shot just navigate to certificate templates folder where you will get web server template
Go to properties of web server template and assign your server that requiring certificate read and enroll permissions and then issue that template and then you can find that while requesting certificate

Check below article how to do that
http://blogs.technet.com/b/askds/archive/2010/05/27/designing-and-implementing-a-pki-part-iii-certificate-templates.aspx

Mahesh
0
 

Author Comment

by:akdreaming
ID: 39962840
Ok.  Can you quickly explain to me the purpose of creating a duplicate cert?  Won't the one Web server template I already setup work for multiple cert requests?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39962850
It is standard process to duplicate  default web server certificate template \ any other template according to your purpose so that original can be used as reference \ template (That is why it is called as template)

If you already have duplicated one, just add required servers security permissions to that certificate template so that you can request certificate countlessly

If you haven't created \ duplicated yet, please do so now

Mahesh
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 

Author Comment

by:akdreaming
ID: 39962866
Here is what I previously did.  What you are telling me to do seems like more work than I need to do.

1. I created the CA.
2. Created web server template
3. From TEST server, I requested three certs, all via AD Enrollment Policy.  Each of these certs was from the web server template.

What I don't quite understand is why I now need to duplicate my template, so I can make additional requests from other servers, based on that web server template.  I don't want/need another Web server template.  It is built already.  Isn't the purpose of the template and AD enrollment policy so servers can request a cert based off that one single Web server template that I have already spent a considerable amount of time on?

Can you attach a screen shot of the Windows security permissions tab so I can truly see what you are referring to?  Because I can't find anywhere under properties where I can assign other servers as having permissions.  And with this, why did I not have to include security rights for my original TEST server when I requested certificates.  

Again, I am new to certs, so I hope you understand all my questions.
0
 

Author Comment

by:akdreaming
ID: 39962896
Ok, I have this figured out.  What was getting me was duplicating the already created web server template.  I have already done that, and configured this Web Server template per specs from 3rd party vendor application requirements.  

So, I went into properties of existing Web Server template as you stated, Security tab, and then added the actual computer....not the user, but the actual computer account for my PROD application server.  Already listed in here were Authenticated Users, Domain Admins, Enterprise Admins, and another account named "SOA-SAFAPP_TEST$".  I'm very confused on where this account came from.  It was NOT created by me, but yet it is showing up in here.  I have attached screen shot of how things look.  Is this wrong?  Should I not be adding in single computer accounts here?  I'm a domain admin, so why wouldn't it work since domain admin is already listed there?  Only after I added the computer account do things look like they are going to work.
Security-Tab.jpg
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39962897
On certificate templates folder right click and click manage, now go to any template properties \ security tab

Its already shown in link in my previous comment

Please read post carefully, there are some steps you need to do which are mentioned in that post related to duplicating template

Please do not use existing template, create duplicate and use that
If you modify existing template permissions in wrong way, you will lose that template completely, that is why its advisable to duplicate template
This is MS best practise

Mahesh
0
 

Author Closing Comment

by:akdreaming
ID: 39966939
Solid feedback.  Although I did not create a duplicate cert per the instructions which we obtained from a 3rd party vendor when setting up this application server.  It may be best practice, but I chose to follow the 3rd party vendor instructions.  I guess if we have to change the cert template, then we will have to make the changes, and then request new certs.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39967101
If you have purchased certificate from 3rd party vendor, then there is no question of duplicating certificate template

Certificate templates are only used BY Microsoft based AD integrated internal CA server.
0
 

Author Comment

by:akdreaming
ID: 39967215
We have our own AD integrated internal CA server.  I created Web Server template and issues certs directly from template.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39967225
Ok got that

if you wanted to change default template properties in future, then you would go for template duplication

That's right

Mahesh.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now