• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 47
  • Last Modified:

Certificate Request doesn't sit in pending folder

We have a certificate authority server in Windows 2016.  After I created a web server certificate request from my web server and submit it to CA, the certificate was issued right away and CR didn't sit in pending folder and wait for issuing.  

Thank you so much for your help in advance.

EN
0
EnjoyNet
Asked:
EnjoyNet
  • 8
  • 6
1 Solution
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Yes, that's right.

Oh wait.  Presumably that isn't the desired behaviour?  You want to approve those certificates before they're issued?
Go into the Certificate Templates console... (should be able to right click Certificate Templates, and manage.)  Select the template you want a manager to approve before issuing, go to the 'Issuance Requirements' and check "CA certificate manager approval".

If you're using the quick task to issue a domain certificate from within IIS, it's apparently hard coded to using the Web Server template... and that is likely stuck at template Schema Version 1, and that won't support the Issuance Requirements.  You'll want to make a copy of the Web Server template for your environment, and promote it to a newer version... which also means you won't be able to use the task within IIS to use that template either.
0
 
EnjoyNetAuthor Commented:
Thank you for your advice.  I didn't see 'Issuance Requirement' by either right click on the template or in its property.  Please help.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
What Schema Version is the template?  That should be on display in the center panel of the Certificate Template Console.  I suspect/assume it'll be Schema Version 1.
If that is the case, make a copy of the template (right click, 'Duplicate Template') so we don't mess up your original template.  Just making the duplicate should at least bring that template up to version 2, which will have the Issuance Requirements.  Once you have that template setup the way you want, don't forget in the Certificate Authority console, right click the Certificate Template , NEW, Certificate Template to Issue, and add the new template to your server.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
EnjoyNetAuthor Commented:
I was able to duplicate the template.  But during submitting request, there are only two templates to choose, one is User and the other one is Basic EFS.  I didn't see the one I duplicated.  Thank you for your help again
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
*nod*  Go back to the Certificate Template Manager, in the properties on the certificate template you created, go to the security tab, and grant at least Read and Enroll permissions to you (Authenticated User, if that's what you want) (if you're creating the certificate as your user identity), or to your computer/server (if you're creating a certificate as the local machine.)
0
 
EnjoyNetAuthor Commented:
The certificate template I duplicated doesn't show in the list of Certificate Template after I gave both my login account and Authenticated User account a full right.  Please advise.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
In the Certificate Authority console, right click the 'Certificate Templates' folder, 'New', 'Certificate Template to Issue', and select your new template.
0
 
EnjoyNetAuthor Commented:
It works.  Thank you so much.   After the certificate was issued, I opened it but I found that valid time is only two years.  I created it and changed it from 5 to 10 years.  Could you please advise again?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Sure thing.  I ran into this as I tried to issue extended life certificates for an issuing subordinate CA.
Keep in mind that any certificates issued by a CA can not have an expiration date after the certificate authority's certificate expiration.   I assume you aren't running into that.
I'm also assume Server 2016 hasn't change the registry values... this article gives instructions on issuing certificates with expirations out longer than two years... but was written for 2003/2008... but is the same in 2012.
0
 
EnjoyNetAuthor Commented:
It works after I changed in regedit.  Last issue I need you help is "Issue To" on certificate: My Name.  How can I change it to IT or something else?

I really appreciate your help.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I believe that is the certificate subject, if I'm remembering correctly.  For many of the templates, the value is auto-assigned based on the settings in the template.  (And it'll be you because you're issuing the certificate under your credentials.  If you were to use the local machine to request a certificate, it would likely be the machine's identity.)  There are some certificate for which the subject can be specified/built within the MMC while generating the request.  For certificates which allow the subject to be defined by the requester, you can also use the command line tools and an inf file to define the subject.  But you'll want to be careful as you modify the Issue To/Subject, because it defines the identity of the entity which holds the private key.  When you sign the certificate, you're basically saying that you've certifying that the holder of the certificate IS the entity in the Issue To field.
0
 
EnjoyNetAuthor Commented:
Thank you so much for your help.  You are really a CA expert.
0
 
EnjoyNetAuthor Commented:
I don't know somehow I saw 0 points to give him.  I want to give him a max point for his help.  How can I do?  Thanks
0
 
EnjoyNetAuthor Commented:
I think he gets 1000 points.  Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now