Solved

Microsoft Certificate Authority - New Template for VMware vSphere SSL Certificates

Posted on 2015-01-05
7
190 Views
Last Modified: 2015-01-18
Unable to issue/enable new template. Newly created template does not appear.

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2062108

Doesn't appear to be an replication issue. All domain controllers have the newly created template. Adequate time has passed.

The newly created template is a duplicate of the default Web Server template with some modifications per VMware KB 2062108.

"Supply in the request" yes

"Enroll allow permissions" yes

Windows Server 2012 R2

Any and all input appreciated.

Thank you,

Caleb Meadows
0
Comment
Question by:CogentCoIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 40532855
What are you expecting, the web template is not available for auto enroll.

You can use the certsrv url to submit the csr for signature.

I guess I am missing what you are asking.
Replication has nothing to do with CA templates unless these DCs are subordinate/issuing CAs.
0
 

Author Comment

by:CogentCoIT
ID: 40533708
Thank you for your prompt response Arnold. My apologies if I was not clear. Please see attached PDF document that includes screenshots.

After duplicating the Web Server template to create the VMware-SSL template including the modifications requested by VMware per:

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2062108

The newly created VMware-SSL template does not appear in the list to be enabled on the certificate authority.

In addition; the newly created VMware-SSL certificate is not an available template to choose from the certsrv url.

I'm following this article to issue Microsoft CA signed certificates to my VMware vSphere environment.

http://theithollow.com/2014/08/create-vmware-ssl-certificate-requests/#comment-22551
Experts-Exchange.pdf
0
 
LVL 78

Expert Comment

by:arnold
ID: 40533749
What name did you give this template?  
Might you have overwritten the default web server template?


If you go back to the certtemplate MMC, do you see the vmware template listed there?
0
How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

 

Author Comment

by:CogentCoIT
ID: 40533756
What name did you give this template?  VMware-SSL

Might you have overwritten the default web server template? Not a chance
0
 
LVL 78

Expert Comment

by:arnold
ID: 40533781
Is the template listed in the template creation interface?
Check the properties of the newly created template. Permissions.
Not sure what is  preventing it from being display, see if refreshing the list or loadin the certca mmc a new will reflect the newly created template in the manage section.
0
 

Accepted Solution

by:
CogentCoIT earned 0 total points
ID: 40547486
Known bug/fix identified by Microsoft support:

From a domain controller; launch ADSIEdit.msc, then expand CN=Configuration | CN=Services | CN=Public Key Services | CN=Enrollment Services. Right click the CA in the right pane that you want to enroll from and click properties. Find the flags attribute; and verify that it is set to 10. If it isn't set to 10, then set it to 10 using ADSIedit.msc and allow for Active Directory replication to complete.
0
 

Author Closing Comment

by:CogentCoIT
ID: 40556001
Known bug however Microsoft has failed to publish a KB article in relation to this specific issue and fix.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction: I have always been a big fan of Windows but my liking towards it is slowly being eroded by the variety of other Applications that I encounter, when I browse the Web. Most of the software available is free and maybe Open Source too. …
Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question