Certificate Authority - Custom Temp not showing up. W2k8R2ent
Hi Guys, Couldn't see a forum for CA so I had to post it here. Hopefully its the right place. (Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise) So here's the issue I am trying to create and export certificate for other users (eobo). It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template. The new template CopyOfUser i changed(of confirmed) following settings:- General Tab = Publish Cert in Active Directory Request Handling = Allow private key to be exported & Enroll subject without req any input Security : I am logging as domain administrator and it has Read/Write/Enroll Issurance Req: This number of authorized signature = 1 & Application Policy & Client Authentication. Subject Name : Build from AD (Fully Distinguished name) Selected boxes : Include email name / Email name / UPN Now problem is i cannot see the custom template on Enable Certificate Templates. I am very new to CA so I am sure i am missing something or doing something wrong. Would love some help.
October 21st, 2011 1:16pm

Can you see any other v2 or v3 (custom) templates (the Workstation Authentication is a v2 template)? If you can not see any v2 templates try the following commands: certutil -setreg ca\setupstatus +512 net stop certsvc & net start certsvc /Hasain
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 1:30pm

Hi, The users or computer objects for which you want to issue the certificate must be included in the certificates permissions (right click on the template > properties > security) After you create a custom template you must also make it available for enroll. Go to [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and lesect the certificate you want to make available.Restart the CA.. What error do you get when you want to issue the certificate with certreq? What error do you get? Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com
October 21st, 2011 1:40pm

I really dont know how to check the versions. So I ran the command any how below is the result. Old Value: SetupStatus REG_DWORD = 1 SETUP_SERVER_FLAG -- 1 New Value: SetupStatus REG_DWORD = 201 (513) SETUP_SERVER_FLAG -- 1 SETUP_UPDATE_CAOBJECT_SVRTYPE -- 200 (512) CertUtil: -setreg command completed successfully. And restarted the services. And went into the CA to enable the template and I still cannot see it. =============== Alright so when I do show all templates from eobo wizard I see the following information :- Status: Unavailable CopyofUser : The template is missing a required signature policy attribute. You do not have permission to view this type of certificate. ================ I am logged in at domain\administrator
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 1:40pm

> Subject Name : Build from AD (Fully Distinguished name) afaik you need to switch it to "Supply in request". My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki Changed it to Supply in Request and restarted services. Still doesnt show up in enable cert.
October 21st, 2011 1:49pm

Hi, The users or computer objects for which you want to issue the certificate must be included in the certificates permissions (right click on the template > properties > security) After you create a custom template you must also make it available for enroll. Go to [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and lesect the certificate you want to make available.Restart the CA.. What error do you get when you want to issue the certificate with certreq? What error do you get? Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com Alright so I created the duplicate cert from user template. In Security tab for the custom temp I have authenticated users there with Read/Enroll and I gave them Autoenroll as well thinking that might be it. Problem is i cannot make that template available. I do not see here :- [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make available.Restart the CA..
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 1:59pm

Hi, You do not find the option or you do not see the template in the list of templates when you navigate to the option below: [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make available.Restart the CA.. You will not have this opion if you are running CA on Windows Server 2008 Standard Edition or if You have selected Standart CA during setup. Have you selected Enterprise CA during the Role wizard setup? Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com
October 21st, 2011 2:05pm

Hi, You do not find the option or you do not see the template in the list of templates when you navigate to the option below: [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make available.Restart the CA.. You will not have this opion if you are running CA on Windows Server 2008 Standard Edition or if You have selected Standart CA during setup. Have you selected Enterprise CA during the Role wizard setup? Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com Well I dont see it in the list to Enable the Custom Certificate. I really dont remember but I believe it's Enterprise as I can see from Server Manager (Active Directory Certificate Services - Enterprise PKI).
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 2:09pm

Hi, Run [certutil –CAInfo] and check the [CA Type]. What does it say? Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com
October 21st, 2011 2:11pm

Hi, Run [certutil –CAInfo] and check the [CA Type]. What does it say? Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com CA type: 0 -- Enterprise Root CA ENUM_ENTERPRISE_ROOTCA -- 0 CA cert count: 1
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 2:15pm

Hi, I think you problem is the setting: ---------------- Issurance Req: This number of authorized signature = 1 & Application Policy & Client Authentication. ---------------- Start by duplicating an default template . Jut duplicate it do not make any changes. Take “Web Server” default template. Duplicate it. Try to see if you are going to see it under “certificate templates > RightKlick > new > certificate template to issue] Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com
October 21st, 2011 2:23pm

Hi, I think you problem is the setting: ---------------- Issurance Req: This number of authorized signature = 1 & Application Policy & Client Authentication. ---------------- Start by duplicating an default template . Jut duplicate it do not make any changes. Take “Web Server” default template. Duplicate it. Try to see if you are going to see it under “certificate templates > RightKlick > new > certificate template to issue] Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com Just tried that it doesnt show up either. Steps I did:- Duplicated "Web Server" template. Didnt change anything. Went to see if i can enable the duplicate template and its not showing in the list. I created another duplicate and changed the setting inside to publish in active directory. Same issue doesnt show up in the list. Note: When I duplicate it prompts me for Windows 2003 or Windows 2008 versions. I created two one for 2003 and for 2008 none of them came up.
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 2:32pm

Hi, I’d suggest if the steps below doesn’t help to remove the CA. Make sure you are using Enterprise Edition (no upgrade from 2K3 or 2K9 standart) of windows and install it again as Enterprise Root CA. Check and see if you still have the issue before tweaking the CA further: Open ADUC and check navigate to [Buildin > users > properties > members] and make sure the fallowing security groups are present. - Authenticated users - Domain Users - Interactive Open ADSI Edit and navigate to [Domain Naming context > DC=<DomainNAme>, DC=<DomainNAme> > CN=Users > CN=Cert Publishers > properties > security ] and give [Read] and [write] permissions to [Authenticated users] group Restart the CA. Check permissions on the CA: Open the [Certificate Authority] console and right click on [properties > Security] and add the fallowing permissions: [Authenticated Users] [V] Request Certificates [Domain Admins] [V] Read [V] Issue and Manager Certificates [V] Manage CA [V] Request Certificates [Enterprise Admins] [V] Issue and Manager Certificates [V] Manage CA [Administrators] [V] Issue and Manager Certificates [V] Manage CA [V] Request Certificates [Domain Controllers] [V] Read [V] Issue and Manager Certificates [V] Manage CA [V] Request Certificates [Domain Computers] [V] Read [V] Request Certificates Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com
October 21st, 2011 2:48pm

Before digging deep into the troubleshooting suggestions by Spas Kaloferov, please note that adding/publishing a template to an enterprise CA does not involve DCOM or certificate publisher settings and permissions. The minimum requirements are that the CA server has read permissions on the template it self and that the version of the operating system of the CA server is either 2003 Ent Ed, 2008 Ent Ed or 2008R2 Std Ed. /Hasain
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 3:14pm

Can you describe more about your setup? Is the CA installed on the same server as your DC or do you have different servers? /Hasain
October 21st, 2011 3:17pm

Hi, What does these both options say: Certificate authority snapi in > CertificateAuthorityName > right click > properties : a) Certificate Managers b) Enrollment agents If enabled try setting them to "Do not restrict ..." and restart the CA. Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 3:26pm

Can you describe more about your setup? Is the CA installed on the same server as your DC or do you have different servers? /Hasain Well its a test domain. I have it setup with one server (AD / ADCS / Exchange 2010) everything is on one server and no replication is envoled. Setup is pretty much out of the box with next next next stuff. I can do the enroll on behalf off just fine for other users. I can get certs with private key exported. All I need now is to try the EOBO manually for that its suggested that you create a template.
October 21st, 2011 3:30pm

Can you confirm the version of the CA server operating system is 2008R2 Enterprise Edition? Can your provide the output of the command: certutil -adtemplate Can you try to add/publish the template named "Workstation Authentication" to your CA? /Hasain
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 3:46pm

CA installed on Windows 2008 R2 Enterprise Sp1. I do not see Workstation Authentication either on the enable template list. I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator. I am leaning towards bad configuration or wrong initial setup. ============================================ C:\Users\Administrator>certutil -adtemplate Administrator: Administrator -- Auto-Enroll: Access is denied. CA: Root Certification Authority -- Auto-Enroll: Access is denied. CAExchange: CA Exchange -- Auto-Enroll: Access is denied. CEPEncryption: CEP Encryption -- Auto-Enroll: Access is denied. ClientAuth: Authenticated Session -- Auto-Enroll: Access is denied. CodeSigning: Code Signing -- Auto-Enroll: Access is denied. Copy of User: Copy of User -- Auto-Enroll Copy of Web Server: Copy of Web Server -- Auto-Enroll: Access is denied. CrossCA: Cross Certification Authority -- Auto-Enroll: Access is denied. CTLSigning: Trust List Signing -- Auto-Enroll: Access is denied. DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied. DomainController: Domain Controller -- Auto-Enroll: Access is denied. DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll:Access is denied. EFS: Basic EFS -- Auto-Enroll: Access is denied. EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied. EnrollmentAgent: Enrollment Agent -- Auto-Enroll: Access is denied. EnrollmentAgentOffline: Exchange Enrollment Agent (Offline request) -- Auto-Enroll: Access is denied. ExchangeUser: Exchange User -- Auto-Enroll: Access is denied. ExchangeUserSignature: Exchange Signature Only -- Auto-Enroll: Access is denied.IPSECIntermediateOffline: IPSec (Offline request) -- Auto-Enroll: Access is denied. IPSECIntermediateOnline: IPSec -- Auto-Enroll: Access is denied. KerberosAuthentication: Kerberos Authentication -- Auto-Enroll: Access is denied KeyRecoveryAgent: Key Recovery Agent -- Auto-Enroll: Access is denied. Machine: Computer -- Auto-Enroll: Access is denied. MachineEnrollmentAgent: Enrollment Agent (Computer) -- Auto-Enroll: Access is denied. OCSPResponseSigning: OCSP Response Signing -- Auto-Enroll: Access is denied. OfflineRouter: Router (Offline request) -- Auto-Enroll: Access is denied. RASAndIASServer: RAS and IAS Server -- Auto-Enroll: Access is denied. SmartcardLogon: Smartcard Logon -- Auto-Enroll: Access is denied. SmartcardUser: Smartcard User -- Auto-Enroll: Access is denied. SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied. User: User -- Auto-Enroll: Access is denied. UserSignature: User Signature Only -- Auto-Enroll: Access is denied. WebServer: Web Server -- Auto-Enroll: Access is denied. Workstation: Workstation Authentication -- Auto-Enroll: Access is denied. CertUtil: -ADTemplate command completed successfully. ============================================
October 21st, 2011 4:02pm

On Fri, 21 Oct 2011 19:55:33 +0000, EvilWasp wrote: I do not see Workstation Authentication either on the enable template list. I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator. I am leaning towards bad configuration or wrong initial setup. ============================================ C:\Users\Administrator>certutil -adtemplate Have you by any chance removed Authenticated Users Read permission from your certificate templates? If so, then you either need to add that back, or add READ for the CA's computer account to all of the templates. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca One person's error is another person's data.
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 4:51pm

Hi, Have you checked the above? Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
October 22nd, 2011 5:35pm

Hi, What does these both options say: Certificate authority snapi in > CertificateAuthorityName > right click > properties : a) Certificate Managers b) Enrollment agents If enabled try setting them to "Do not restrict ..." and restart the CA. Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com When I do properties i dont see any of them. I see following tabs :- General - Policy Module - Exit Module - Extensions - Storage - Auditing - Security Let me know how can i check it.
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2011 11:04am

On Fri, 21 Oct 2011 19:55:33 +0000, EvilWasp wrote: I do not see Workstation Authentication either on the enable template list. I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator. I am leaning towards bad configuration or wrong initial setup. ============================================ C:\Users\Administrator>certutil -adtemplate Have you by any chance removed Authenticated Users Read permission from your certificate templates? If so, then you either need to add that back, or add READ for the CA's computer account to all of the templates. Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca One person's error is another person's data. Never moved Authenticated users just added AutoEnroll to it. Now the setting for Authenticated Users security is Read / Enroll / AutoEnroll.
October 24th, 2011 11:31am

Hi, I would suggest as it would be easier and quicker to start from scratch and keep in mind the above suggestions. And most of all do not make ant CA tweaks or advanced configurations before being sure the default setup works as expected. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2011 1:25pm

Hi, I would suggest as it would be easier and quicker to start from scratch and keep in mind the above suggestions. And most of all do not make ant CA tweaks or advanced configurations before being sure the default setup works as expected. Best Regards, Spas Kaloferov [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ] NetShell Services & Solutions | “Design the future with simplicity and elegance” Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
October 24th, 2011 8:23pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics