none
No templates in Certificate Authority snapin

    Question

  • Hi. We recently moved our Ent Root CA from a 2003r2 DC to a 2008r2 DC with a different name. For a while I was getting "element not found" when requestng a cert from a web server or when I looked at the templates folder in the MMC. I was able to get rid of that error. but now there are no templates in the templates folder. And when I try to add one I get the following error:

    "The template information on the CA cannot be modified at this time. This is most likely becausethe CA service is not running or there are replication delays. The parameter is incorrect. 0x80070057 (WIN32: 87)

    The changes can be saved to Active Directory and retrieved by the CA next time it is started. Do you want to save the changes to Active Directory?"

    I choose "yes" and I get:

    "Failed to update CA certificate templates. The parameter is incorrect. 0x80070057 (WIN32: 87)"

     Any ideas on how to fix this? My domain cert is about to expire in 1 week. I can renew it but cannot request from any other servers.

    Thanks,

    Wednesday, September 04, 2013 9:58 PM

Answers

  • Okay, then lets do a little bit more troubleshooting. You should perform all changes and testing as Enterprise Admin, so that we do not have to worry about permissions to much.

    1. if you run a certutil.exe -dump, do you see the new CA listed there?

    2. Open LDAP or AD Sites and Services (enable Show Services in the MMC) and check if the new CA exits under CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=frontoso,DC=com. The AD object of the CA should have a attribute called certificateTemplates configured. You can add the template manually be adding the template name. If the AD object of the CA does not exists you should create 


    • Marked as answer by Dan Burchfield Thursday, September 05, 2013 6:43 PM
    Thursday, September 05, 2013 6:02 PM
  • I am not clear when you say domain cert.

    In a PKI you have at minimum a Root CA certificate and for example a SSL server certificate signed by the Root CA certificate. (best practice is having a offline root CA and one or more enterprise sub CAs for issuing certificates to users and machines, but this is not the topic here.)

    So if the Root CA certificate is going to expire you can renew it and the certificate will be automatically distributed (only with a Enterprise Root CA) to all Active Directory domain members, so workstations and servers.

    But this will change the validity of a SSL server certificate you have installed in IIS or Exchange for CAS. You have to request a new SSL server certificate from the CA and then you need to configure your application to use the new certificate.

    for IIS - see the IIS Manager section - http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

    for Exchange 2007 - see the section Creating, Importing, and Enabling Certificates - http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx

    if both certificates expire soon. Renew (with the same private key) first the Root CA certificate and then the SSL server cert.

    • Marked as answer by Dan Burchfield Thursday, September 05, 2013 9:23 PM
    Thursday, September 05, 2013 7:34 PM

All replies

  • Hi Dan,

    I saw this once before, but I was not be able to reproduce the issue or to investigate on it because my client was not interested that much.

    So we ran certutil.exe -SetCAtemplates +CertiticicateTemplateName from command line to assign templates to the CA.

    Hope that will be a workaround for you as well.

    Regards,

    Lutz

    Wednesday, September 04, 2013 11:44 PM
  • Thanks Lutz, Here is what I get when running the command:

    certutil -setCATemplates +administrator
    CertUtil: -SetCATemplates command FAILED: 0x80070057 (WIN32: 87)
    CertUtil: The parameter is incorrect.

    Thursday, September 05, 2013 1:17 PM
  • Okay, then lets do a little bit more troubleshooting. You should perform all changes and testing as Enterprise Admin, so that we do not have to worry about permissions to much.

    1. if you run a certutil.exe -dump, do you see the new CA listed there?

    2. Open LDAP or AD Sites and Services (enable Show Services in the MMC) and check if the new CA exits under CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=frontoso,DC=com. The AD object of the CA should have a attribute called certificateTemplates configured. You can add the template manually be adding the template name. If the AD object of the CA does not exists you should create 


    • Marked as answer by Dan Burchfield Thursday, September 05, 2013 6:43 PM
    Thursday, September 05, 2013 6:02 PM
  • This worked like a charm Lutz. Thank you.

    Can you tell me one more thing? My domain cert is about to expire. If I renew from the CA console, will that update all of the machines that are using that cert? For instance my Exchange CAS array, or other web sites?

    Thursday, September 05, 2013 6:43 PM
  • I am not clear when you say domain cert.

    In a PKI you have at minimum a Root CA certificate and for example a SSL server certificate signed by the Root CA certificate. (best practice is having a offline root CA and one or more enterprise sub CAs for issuing certificates to users and machines, but this is not the topic here.)

    So if the Root CA certificate is going to expire you can renew it and the certificate will be automatically distributed (only with a Enterprise Root CA) to all Active Directory domain members, so workstations and servers.

    But this will change the validity of a SSL server certificate you have installed in IIS or Exchange for CAS. You have to request a new SSL server certificate from the CA and then you need to configure your application to use the new certificate.

    for IIS - see the IIS Manager section - http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

    for Exchange 2007 - see the section Creating, Importing, and Enabling Certificates - http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx

    if both certificates expire soon. Renew (with the same private key) first the Root CA certificate and then the SSL server cert.

    • Marked as answer by Dan Burchfield Thursday, September 05, 2013 9:23 PM
    Thursday, September 05, 2013 7:34 PM
  • Yes, I meant to say Root CA certificate. Thanks for all your help.
    Thursday, September 05, 2013 9:24 PM