Hello, I've encountered a problem with cert template for SubOrdinate CA. In Windows 2008 R2 there is a 'Subordinate Certification Authority' but its length is not satisafctory. So I've duplicated this template, set length validity to 10 years and on the 'Security' tab I've added Administrators and Enterprise Administrators privileges to read/register/auto-enroll. But enrollment of SubCA is impossible now. I had this message http://img573.imageshack.us/img573/9932/skrin1.jpg which means that primary CA rejected the request because it refers to template which is not supported by Active Directory Certificate Services: SubCA. What is the problem? Situation in my topology: CA-03 ----requests cert from ------> CA02 Please, help Best

have you added this template to issue on CA server? Open Certification Authority MMC snap-in, select Certificate Templates node and ensure if your template is listed. If not, right-click on this node, select New -> Template to issue.http://en-us.sysadmins.lv

Yes, of course. I have done it. It is listed in this list.

Sorry I overlooked one point. When you setup Enterprise SubCA and request certificate from uplevel Enterprise CA (Root or SubCA) the wizrd hardcode certificate template to SubCA. In order to use custom certificate template for Subordinate CA you MUST add the following lines to CAPolicy.inf: [RequestAttributes] CertificateTemplate = <your custom SubCA template> and run installation wizard again. Note: You MUST specify template Common Name (not Display Name). http://en-us.sysadmins.lv

Hello, Thanks Vadims for your response. Yes, that was the point. Unfortunately I don't know why the certificate is issued for much shorter period than it is set in the template? In the template I set 10 years, after 8 years, and now matter how the length is set, it is always issued for only 2 years. How to solve this problem? Best, P.S goattt belongs to me too ;) (sometimes I have HTTP 400 error for my basic account).

Certificate validity period has the lesser value of the following: estimated CA certificate validity period certificate template setting ValidityPeriod setting in registry. http://en-us.sysadmins.lv