I have just installed a new Root CA and subordinate CA in our organisation. One of it's purposes will be to issue a SAN certificate for our Exchange 2010 server. When trying to request the SAN cert like discribed here I'm hitting a wall fairly soon. I'm being told to select the Web Server template. However only the computer template is available to me. If I tick the box "Show all templates" I can see the Web Server template but it has status "Unavailable" with the message "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate" I'm logged in with a Domain Admin account and the group Domain Admins is member of the local Administrators group. So I tried to create a signing request in Exchange and have it signed by my CA manually. This worked, but now I have no clue how to get the signed certifcate back to the Exchange server. I must be doing something horribly wrong here but can't seem to find what. There's a ton of info out there on how to setup a CA chain, but not really on how to use it afterwards.

You are missing permissions on the template. http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=20My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

You are missing permissions on the template. http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=20My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Also make sure that the WebServer template has read and enroll permission for the domian computer account from where you are trying to enroll the certificate. To achieve this Open certtmpl.msc-> Web Template->Security tab-> Give read and enroll permission to the computer from where you are trying to request this certificate. Do a gpupdate /force in the DC as well as the domain computer and try re-enrolling the certificate.

Also make sure that the WebServer template has read and enroll permission for the domian computer account from where you are trying to enroll the certificate. To achieve this Open certtmpl.msc-> Web Template->Security tab-> Give read and enroll permission to the computer from where you are trying to request this certificate. Do a gpupdate /force in the DC as well as the domain computer and try re-enrolling the certificate.

Hi MaximVG, besides the permissions you must allow SAN on the CA. Run CERTUTIL.exe -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 and restart the certificate services net stop certsvc & net start certsvc Regards, Lutz

Hi MaximVG, besides the permissions you must allow SAN on the CA. Run CERTUTIL.exe -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 and restart the certificate services net stop certsvc & net start certsvc Regards, Lutz sorry, but this is completely wrong information. SAN attributes *MUST NOT* be enabled on Enterprise CAs.My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Hi Vadims. this is not correct. If you just install a CA, EDITF_ATTRIBUTESUBJECTALTNAME2 is not set. I just verified this in the lab with a all new Windows 2008 R2 installation. How to configure a CA to accept a SAN attribute from a certificate request - http://support.microsoft.com/kb/931351 The support article is for Windows 2003. Anyway I can see the same behavior for Windows 2008 R2 using certreq.exe or the certsrv web page. Regards, Lutz

Hi, How are things going? I just want to check if the information provided was helpful. If there is any update or concern, please feel free to let us know. Best Regards, AidenAiden Cao TechNet Community Support

Sorry about the delay. Had some other stuff that took priority over webmail certificates. The problem was indeed that the computer account did not have access rights on the Web Server certificate. Once these were in place the enrollement was a breeze. No need to configure or allow other SAN settings on the CA. Just the access rights. Thanks for the help! Maxim

> this is not correct. If you just install a CA, EDITF_ATTRIBUTESUBJECTALTNAME2 is not set. Sorry, but I'm correct here. Yes, the flag is not enabled by default. And as I said, MUST NOT be enabled further. > How to configure a CA to accept a SAN attribute from a certificate request - http://support.microsoft.com/kb/931351 In Windows Server 2003 there were many cases when we had to enable SAN attributes. However, starting with Windows Server 2008, this flag is not necessary anymore (except you are using Web Enrollment Pages to request certificates with SAN extension). The correct way is to pass SAN as extension, not as attribute. SAN extensions from requests are added to issued certificates when certificate template is configured to supply subject in the request by default (without enabling this flag). Enabling this flag, you reduce certificate security, because SAN attribute can be passed with any request (regardles of template configuration).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki