Certificate Authority - Custom Temp not showing up. W2k8R2ent
Hi Guys,
Couldn't see a forum for CA so I had to post it here. Hopefully its the right place.
(Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise)
So here's the issue I am trying to create and export certificate for other users (eobo).
It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template.
The new template CopyOfUser i changed(of confirmed) following settings:-
General Tab = Publish Cert in Active Directory
Request Handling = Allow private key to be exported & Enroll subject without req any input
Security : I am logging as domain administrator and it has Read/Write/Enroll
Issurance Req: This number of authorized signature = 1
& Application Policy & Client Authentication.
Subject Name : Build from AD (Fully Distinguished name)
Selected boxes : Include email name / Email name / UPN
Now problem is i cannot see the custom template on Enable Certificate Templates.
I am very new to CA so I am sure i am missing something or doing something wrong.
Would love some help.
October 21st, 2011 1:16pm
Can you see any other v2 or v3 (custom) templates (the Workstation Authentication is a v2 template)?
If you can not see any v2 templates try the following commands:
certutil -setreg ca\setupstatus +512
net stop certsvc & net start certsvc
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 1:30pm
Hi,
The users or computer objects for which you want to issue the certificate must be included in the certificates permissions (right click on the template > properties
> security)
After you create a custom template you must also make it available for enroll. Go to
[MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and lesect the
certificate you want to make available.Restart the CA..
What error do you get when you want to issue the certificate with certreq?
What error do
you get?
Will appreciate if you give feedback if this has helped you. If yes please select “Mark
as answer”.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
October 21st, 2011 1:40pm
I really dont know how to check the versions. So I ran the command any how below is the result.
Old Value:
SetupStatus REG_DWORD = 1
SETUP_SERVER_FLAG -- 1
New Value:
SetupStatus REG_DWORD = 201 (513)
SETUP_SERVER_FLAG -- 1
SETUP_UPDATE_CAOBJECT_SVRTYPE -- 200 (512)
CertUtil: -setreg command completed successfully.
And restarted the services. And went into the CA to enable the template and I still cannot see it.
===============
Alright so when I do show all templates from eobo wizard I see the following information :-
Status: Unavailable
CopyofUser : The template is missing a required signature policy attribute. You do not have permission to view this type of certificate.
================
I am logged in at domain\administrator
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 1:40pm
> Subject Name : Build from AD (Fully Distinguished name)
afaik you need to switch it to "Supply in request".
My weblog: http://en-us.sysadmins.lv
PowerShell PKI Module: http://pspki.codeplex.com
Windows PKI reference:
on TechNet wiki
Changed it to Supply in Request and restarted services. Still doesnt show up in enable cert.
October 21st, 2011 1:49pm
Hi,
The users or computer objects for which you want to issue the certificate must be included in the certificates permissions (right click on the template > properties
> security)
After you create a custom template you must also make it available for enroll. Go to
[MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and lesect the
certificate you want to make available.Restart the CA..
What error do you get when you want to issue the certificate with certreq?
What error do
you get?
Will appreciate if you give feedback if this has helped you. If yes please select “Mark
as answer”.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
Alright so I created the duplicate cert from user template. In Security tab for the custom temp I have authenticated users there with Read/Enroll and I gave them Autoenroll as well thinking that might be it.
Problem is i cannot make that template available. I do not see here :-
[MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make
available.Restart the CA..
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 1:59pm
Hi,
You do not find the option or you do not see the template in the list of templates when you navigate to the option below:
[MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make available.Restart the CA..
You will not have this opion if you are running CA on Windows Server 2008
Standard Edition or if You have selected Standart CA during setup. Have you selected
Enterprise CA during the Role wizard setup?
Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
October 21st, 2011 2:05pm
Hi,
You do not find the option or you do not see the template in the list of templates when you navigate to the option below:
[MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make available.Restart the CA..
You will not have this opion if you are running CA on Windows Server 2008
Standard Edition or if You have selected Standart CA during setup. Have you selected
Enterprise CA during the Role wizard setup?
Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.
Best Regards,
Spas Kaloferov
[ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
Well I dont see it in the list to Enable the Custom Certificate.
I really dont remember but I believe it's Enterprise as I can see from Server Manager (Active Directory Certificate Services - Enterprise PKI).
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 2:09pm
Hi,
Run [certutil –CAInfo] and check the [CA Type]. What does it say?
Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
October 21st, 2011 2:11pm
Hi,
Run [certutil –CAInfo] and check the [CA Type]. What does it say?
Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.
Best Regards,
Spas Kaloferov
[ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
CA type: 0 -- Enterprise Root CA
ENUM_ENTERPRISE_ROOTCA -- 0
CA cert count: 1
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 2:15pm
Hi,
I think you problem is the setting:
----------------
Issurance Req: This number of authorized signature = 1
& Application Policy & Client Authentication.
----------------
Start by duplicating an default template . Jut duplicate it do not make any changes. Take “Web Server” default template. Duplicate it. Try to see if you are going to see it under “certificate templates > RightKlick > new >
certificate template to issue]
Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
October 21st, 2011 2:23pm
Hi,
I think you problem is the setting:
----------------
Issurance Req: This number of authorized signature = 1
& Application Policy & Client Authentication.
----------------
Start by duplicating an default template . Jut duplicate it do not make any changes. Take “Web Server” default template. Duplicate it. Try to see if you are going to see it under “certificate templates > RightKlick > new >
certificate template to issue]
Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.
Best Regards,
Spas Kaloferov
[ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
Just tried that it doesnt show up either. Steps I did:-
Duplicated "Web Server" template. Didnt change anything. Went to see if i can enable the duplicate template and its not showing in the list.
I created another duplicate and changed the setting inside to publish in active directory. Same issue doesnt show up in the list.
Note: When I duplicate it prompts me for Windows 2003 or Windows 2008 versions. I created two one for 2003 and for 2008 none of them came up.
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 2:32pm
Hi,
I’d suggest if the steps below doesn’t help to remove the CA. Make sure you are using Enterprise Edition (no upgrade from 2K3 or 2K9 standart) of windows
and install it again as Enterprise Root CA. Check and see if you still have the issue before tweaking the CA further:
Open ADUC and check navigate to [Buildin > users > properties > members] and make sure the fallowing security groups are present.
- Authenticated users
- Domain Users
- Interactive
Open ADSI Edit and navigate to
[Domain Naming context > DC=<DomainNAme>, DC=<DomainNAme> > CN=Users > CN=Cert Publishers > properties > security ]
and give [Read] and [write]
permissions to [Authenticated users] group
Restart the CA.
Check permissions on the CA:
Open the [Certificate Authority] console and right click on [properties > Security] and add the fallowing permissions:
[Authenticated Users]
[V] Request Certificates
[Domain Admins]
[V] Read
[V] Issue and Manager Certificates
[V] Manage CA
[V] Request Certificates
[Enterprise Admins]
[V] Issue and Manager Certificates
[V] Manage CA
[Administrators]
[V] Issue and Manager Certificates
[V] Manage CA
[V] Request Certificates
[Domain Controllers]
[V] Read
[V] Issue and Manager Certificates
[V] Manage CA
[V] Request Certificates
[Domain Computers]
[V] Read
[V] Request Certificates
Will appreciate if you give feedback if this has helped you. If yes please select “Mark
as answer”.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
October 21st, 2011 2:48pm
Before digging deep into the troubleshooting suggestions by Spas Kaloferov, please note that adding/publishing a template to an enterprise CA does not involve DCOM or certificate publisher settings and permissions.
The minimum requirements are that the CA server has read permissions on the template it self and that the version of the operating system of the CA server is either 2003 Ent Ed, 2008 Ent Ed or 2008R2 Std Ed.
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 3:14pm
Can you describe more about your setup? Is the CA installed on the same server as your DC or do you have different servers?
/Hasain
October 21st, 2011 3:17pm
Hi,
What does these both options say:
Certificate authority snapi in > CertificateAuthorityName > right click > properties :
a) Certificate Managers
b) Enrollment agents
If enabled try setting them to "Do not restrict ..." and restart the CA.
Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 3:26pm
Can you describe more about your setup? Is the CA installed on the same server as your DC or do you have different servers?
/Hasain
Well its a test domain. I have it setup with one server (AD / ADCS / Exchange 2010) everything is on one server and no replication is envoled. Setup is pretty much out of the box with next next next stuff. I can do the enroll on behalf off just
fine for other users. I can get certs with private key exported.
All I need now is to try the EOBO manually for that its suggested that you create a template.
October 21st, 2011 3:30pm
Can you confirm the version of the CA server operating system is 2008R2 Enterprise Edition?
Can your provide the output of the command: certutil -adtemplate
Can you try to add/publish the template named "Workstation Authentication" to your CA?
/Hasain
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 3:46pm
CA installed on Windows 2008 R2 Enterprise Sp1.
I do not see Workstation Authentication either on the enable template list.
I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator.
I am leaning towards bad configuration or wrong initial setup.
============================================
C:\Users\Administrator>certutil -adtemplate
Administrator: Administrator -- Auto-Enroll: Access is denied.
CA: Root Certification Authority -- Auto-Enroll: Access is denied.
CAExchange: CA Exchange -- Auto-Enroll: Access is denied.
CEPEncryption: CEP Encryption -- Auto-Enroll: Access is denied.
ClientAuth: Authenticated Session -- Auto-Enroll: Access is denied.
CodeSigning: Code Signing -- Auto-Enroll: Access is denied.
Copy of User: Copy of User -- Auto-Enroll
Copy of Web Server: Copy of Web Server -- Auto-Enroll: Access is denied.
CrossCA: Cross Certification Authority -- Auto-Enroll: Access is denied.
CTLSigning: Trust List Signing -- Auto-Enroll: Access is denied.
DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied.
DomainController: Domain Controller -- Auto-Enroll: Access is denied.
DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll:Access is denied.
EFS: Basic EFS -- Auto-Enroll: Access is denied.
EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied.
EnrollmentAgent: Enrollment Agent -- Auto-Enroll: Access is denied.
EnrollmentAgentOffline: Exchange Enrollment Agent (Offline request) -- Auto-Enroll: Access is denied.
ExchangeUser: Exchange User -- Auto-Enroll: Access is denied.
ExchangeUserSignature: Exchange Signature Only -- Auto-Enroll: Access is denied.IPSECIntermediateOffline: IPSec (Offline request) -- Auto-Enroll: Access is denied.
IPSECIntermediateOnline: IPSec -- Auto-Enroll: Access is denied.
KerberosAuthentication: Kerberos Authentication -- Auto-Enroll: Access is denied
KeyRecoveryAgent: Key Recovery Agent -- Auto-Enroll: Access is denied.
Machine: Computer -- Auto-Enroll: Access is denied.
MachineEnrollmentAgent: Enrollment Agent (Computer) -- Auto-Enroll: Access is denied.
OCSPResponseSigning: OCSP Response Signing -- Auto-Enroll: Access is denied.
OfflineRouter: Router (Offline request) -- Auto-Enroll: Access is denied.
RASAndIASServer: RAS and IAS Server -- Auto-Enroll: Access is denied.
SmartcardLogon: Smartcard Logon -- Auto-Enroll: Access is denied.
SmartcardUser: Smartcard User -- Auto-Enroll: Access is denied.
SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied.
User: User -- Auto-Enroll: Access is denied.
UserSignature: User Signature Only -- Auto-Enroll: Access is denied.
WebServer: Web Server -- Auto-Enroll: Access is denied.
Workstation: Workstation Authentication -- Auto-Enroll: Access is denied.
CertUtil: -ADTemplate command completed successfully.
============================================
October 21st, 2011 4:02pm
On Fri, 21 Oct 2011 19:55:33 +0000, EvilWasp wrote:
I do not see Workstation Authentication either on the enable template list.
I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator.
I am leaning towards bad configuration or wrong initial setup.
============================================
C:\Users\Administrator>certutil -adtemplate
Have you by any chance removed Authenticated Users Read permission from
your certificate templates? If so, then you either need to add that back,
or add READ for the CA's computer account to all of the templates.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
One person's error is another person's data.
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2011 4:51pm
Hi,
Have you checked the above?
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
| www:
www.netshell-solutions.com
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
October 22nd, 2011 5:35pm
Hi,
What does these both options say:
Certificate authority snapi in > CertificateAuthorityName > right click > properties :
a) Certificate Managers
b) Enrollment agents
If enabled try setting them to "Do not restrict ..." and restart the CA.
Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.
Best Regards,
Spas Kaloferov
[ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14
]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www: www.netshell-solutions.com
When I do properties i dont see any of them. I see following tabs :-
General - Policy Module - Exit Module - Extensions - Storage - Auditing - Security
Let me know how can i check it.
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2011 11:04am
On Fri, 21 Oct 2011 19:55:33 +0000, EvilWasp wrote:
I do not see Workstation Authentication either on the enable template list.
I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator.
I am leaning towards bad configuration or wrong initial setup.
============================================
C:\Users\Administrator>certutil -adtemplate
Have you by any chance removed Authenticated Users Read permission from
your certificate templates? If so, then you either need to add that back,
or add READ for the CA's computer account to all of the templates.
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
One person's error is another person's data.
Never moved Authenticated users just added AutoEnroll to it. Now the setting for Authenticated Users security is Read / Enroll / AutoEnroll.
October 24th, 2011 11:31am
Hi,
I would suggest as it would be easier and quicker to start from scratch and keep in mind the above suggestions. And most of all do not make ant CA tweaks or advanced configurations
before being sure the default setup works as expected.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www:
www.netshell-solutions.com
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2011 1:25pm
Hi,
I would suggest as it would be easier and quicker to start from scratch and keep in mind the above suggestions. And most of all do not make ant CA tweaks or advanced configurations
before being sure the default setup works as expected.
Best Regards,
Spas Kaloferov
[
MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 ]
NetShell Services & Solutions | “Design the future with simplicity and elegance”
Visit me at:
www.spaskaloferov.com
|
www:
www.netshell-solutions.com
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.
October 24th, 2011 8:23pm