Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PKI Template has been configured but not being deployed ?

Posted on 2015-01-30
1
Medium Priority
?
144 Views
Last Modified: 2015-02-12
Hi Everyone,

I have deployed a 3-tier PKI infrastructure in a Windows 2008 R2 envinronment.  There is a GPO in place for auto-enrollement of certigicates via a GPO.  Attached to the GPO is a security filter which has a group that only contains computer objects to deploy certificates to. I have copied the Computer template, duplicated and called 'Test AE'.  When I open the certificate on the test server, the 'Geneeral' tab displays the purpose of the certificate as 'All applications policies'.  If I click on the 'Details' tab and scroll down, where it details 'Certificate Template Name' the value is SubCA.  I expect the 'Certificate Template Name' to be 'Test AE' ?  

In the AD CS management console under 'Certificate Templatres' it does have the 'Test AE' displayed.  Also, the template on the security setting has the group I associated in AD to the GPO.  I have the group with 'Read','Enroll' and 'Autoenroll' configured.

Does anyone have any ideas as to why this is happening ?
0
Comment
Question by:CaussyR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 37

Accepted Solution

by:
Mahesh earned 2000 total points
ID: 40579600
The certificate you seen is from subordinate CA and I don't think it is got deployed through GPO
Delete that cert from test server and run gpupdate /force again to see what certificate is getting installed

do not duplicate computer certificate, it is default certificate template
U can directly use it via GPO, in GPO, under "computer configuration\policies\windows settings\security settings\ public key policies" enable certificate enrollment and auto enrollment
Then navigate to automatic certificate request settings and add "computer" certificate template there which will take care of auto enrollment
https://technet.microsoft.com/en-us/library/dd379529(v=ws.10).aspx

If you wanted just client authentication, do above auto enrollment settings in policy and duplicate workstation authentication certificate and check if it works
Because computer template contains both server authentication and client authentication
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question