Certificate for local system with Thumbprint...is about to expire...
-
Friday, July 13, 2012 12:39 PM
I tired the steps found at: http://technet.microsoft.com/en-us/library/cc774595(v=WS.10).aspx
I get to the list of certificats.....the list doesn't have thumbprints so I'm not sure which is the certificate that is producing the warning. I select a certificate that has expired. Try Renew with Same Key.
I get:
Enrollement Error The requested certificate template is not supported by this CA.
Where do I go from here?
All Replies
-
Friday, July 13, 2012 1:41 PM
a) you cannot renew already expired certificate. you can try Request New certificate. If you wanted to renew a certificate, you would have to do it before the original certificate expires
b) to see thumbprint, go into MMC console, certificates and open all the certificates one-by-one and lookup the thumbprints.
o.
-
Friday, July 13, 2012 1:54 PM
That makes sense.....just getting started with the whole certifiate thing.....
I tried Request New certificate......SAME ERROR (template not supported by this CA)
- Edited by JohnSLG Friday, July 13, 2012 2:45 PM
-
Monday, July 16, 2012 2:54 AMModeratorHi John,
Please check the suggestion of Vadims in the thread below to see if it can be helpful:
The requested certificate template is not supported by this CA
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/f8fec4fc-e03c-453d-9daa-eb12e950bd52/
Regards
Kevin -
Monday, July 16, 2012 6:15 PMThanks. I saw that thread and, unfortunately I don't understand it. I'm going to have to take a course on certificates.
-
Tuesday, July 17, 2012 2:20 AMModeratorHi John,
Here is a basic article for ADCS. Hope it can be useful to you.
Active Directory Certificate Services Step-by-Step Guide
http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx
Regards
Kevin -
Tuesday, July 17, 2012 12:33 PM
OK. I found my CA - it is hosted on the same server that hosts Exchange. I do not have the Online Responder, or Web enrollment roles installed.
The link wanted me to change the subordinate certification authority to use a different template - "custom template". Currently it is using a template named SubCA. Do I need to change that to something else???
- Edited by JohnSLG Tuesday, July 17, 2012 12:37 PM
-
Wednesday, July 18, 2012 1:31 AMModeratorHi John,
We can try the steps in the article below to use a custom template for Subordinate CA as a test:
http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-for-subordinate-ca-s.aspx
Regards
Kevin -
Wednesday, July 18, 2012 11:07 AM
I can do that.
1) Does it matter what I name the duplicate?
2) Does it matter if I choose Win 2003 or 2008?
3) Does it matter if I Publish in Active Directory?
4) Does it matter if I "Do not automatically reenroll if a duplicate certificate exists in Active Directory"? Since this WILL be a duplicate?
5) Does it matter if I use existing key for smart card certificate renewal? I don't use smart cards.
6) Do I need to have CA cerficate manager approval for enrollment?
7) Should I have authorized signatures for enrollment?
8) What are Superseded Templates?
9) Do I need to do anything with Extensions?
10) Do I need to change any of the default Security settings?
11) Once I am done, how do I tell applications to start using the duplicate template?
12) Why would this duplicate template allow me to create a new certificate for the one that expired?
- Edited by JohnSLG Wednesday, July 18, 2012 11:32 AM
-
Thursday, July 19, 2012 12:12 AM
dir cert:\LocalMachine\my | Where-Object { $_.HasPrivateKey } | Foreach-Object { write-host $_.thumbprint - $_.subject }This powershell command will help you to identify the certificate behind the thumbprint.
- Lutz
-
Thursday, July 19, 2012 11:56 AMI have a Subordinate Certificate AUthority. I'm still not sure WHY I need a copy of it nor WHAT to do with the duplicate copy. I'm also not sure what settings to check on the duplicate certificate.
-
Wednesday, August 22, 2012 11:58 AM After further review I added OWA to an existing certificate and deleted the offending cert.
- Marked As Answer by JohnSLG Wednesday, August 22, 2012 11:59 AM
.png)
