none
Automatic Certificate Request GPO

    Question

  • Hi,

    How do we add additional certificates so that we can see them in the GPO under Automatic Certificate Request section?

    Currently these are the only 4 available:

    • Computer
    • Domain Controller
    • Enrollment Agent (Computer)
    • IPSec

    We would like to add some custom templates in there.

    Thank you

    Thursday, May 27, 2010 7:28 AM

Answers

  • On Thu, 27 May 2010 07:28:26 +0000, S.Kwan wrote:

    > Hi,
    >
    > How do we add additional certificates so that we can see them in the GPO under Automatic Certificate Request section?
    >
    > Currently these are the only 4 available:
    >
    > Computer
    > Domain Controller
    > Enrollment Agent (Computer)
    > IPSec
    >
    > We would like to add some custom templates in there.

    You don't add custom templates to ACRS. ACRS is an older technology that is
    only suitable for deploying V1 computer certificates. If you're using
    custom templates then those templates are either V2 or V3 templates and
    those you deploy via Autoenrollment. You need to make sure that you've got
    autoenrollment enabled in a GPO and then you control access to the
    templates through the DACL on each template. A user or a computer requires
    Read, Enroll, and Autoenroll to be able to autoenroll for against a V2 or
    V3 template



    --
    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Paul Adare CTO IdentIT Inc. ILM MVP
    • Proposed as answer by Vadims PodansMVP Thursday, May 27, 2010 9:57 AM
    • Marked as answer by D Wind Thursday, May 27, 2010 10:55 AM
    Thursday, May 27, 2010 8:09 AM

All replies

  • On Thu, 27 May 2010 07:28:26 +0000, S.Kwan wrote:

    > Hi,
    >
    > How do we add additional certificates so that we can see them in the GPO under Automatic Certificate Request section?
    >
    > Currently these are the only 4 available:
    >
    > Computer
    > Domain Controller
    > Enrollment Agent (Computer)
    > IPSec
    >
    > We would like to add some custom templates in there.

    You don't add custom templates to ACRS. ACRS is an older technology that is
    only suitable for deploying V1 computer certificates. If you're using
    custom templates then those templates are either V2 or V3 templates and
    those you deploy via Autoenrollment. You need to make sure that you've got
    autoenrollment enabled in a GPO and then you control access to the
    templates through the DACL on each template. A user or a computer requires
    Read, Enroll, and Autoenroll to be able to autoenroll for against a V2 or
    V3 template



    --
    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca

    Paul Adare CTO IdentIT Inc. ILM MVP
    • Proposed as answer by Vadims PodansMVP Thursday, May 27, 2010 9:57 AM
    • Marked as answer by D Wind Thursday, May 27, 2010 10:55 AM
    Thursday, May 27, 2010 8:09 AM
  • We are actually setting up a cross-forest CA scenario based on the whitepaper "Cross-forest Certificate Enrollment with Windows Server 2008 R2".

    We have 2 forests, and one already has a PKI infrastructure (Forest A).

    To make matters interesting, Forest B already has a Enterprise RootCA (for testing purposes) - but it also has some servers that require certificates from the Forest A CA (autoenrollment required). So following that white paper we might hit a snag, when for instance we migrate the Templates?

    Perhaps a simpler route would be to simply remove the existing Root CA and deploy a Subordinate Issuing CA in Forest B?

    Or can these 2 separate CA environments happily coexist?

     

    Thursday, May 27, 2010 8:17 AM
  • Ah, I now see that we can just copy the single template we need from Forest A to Forest B

    .\PKISync.ps1 -sourceforest account.contoso.com -targetforest resource.contoso.com -type Template -cn AccountWebServer

     

    However, do I also need to copy the OIDs? This command seems to do all OIDs...how do I run this to only copy the OID of one Template, just remove the "-f" switch?

    .\PKISync.ps1 -sourceforest account.contoso.com -targetforest resource.contoso.com -type Oid -f

    Thursday, May 27, 2010 8:33 AM
  • On second hand, I think it might just be easier (long term) to deploy a Sub Issuing CA in forest B ;-)
    Thursday, May 27, 2010 9:24 AM
  • However, do I also need to copy the OIDs? This command seems to do all OIDs...how do I run this to only copy the OID of one Template, just remove the "-f" switch?

    .\PKISync.ps1 -sourceforest account.contoso.com -targetforest resource.contoso.com -type Oid -f

    This will work:

    .\PKISync.ps1 -sourceforest source.contoso.com -targetforest account.contoso.com -type Oid -cn OID_Common_name

    Where to get OID_Common_Name? you could use adsiedit (config context, services, PK Services, OID).

    Name will be some large hex string.

    If you want to copy only the template OID then you can right click the OID, properties, and check the msPKI-Cert-Template atribute.

    Cheers!

    • Proposed as answer by Cristian Zanni Friday, February 01, 2013 7:27 PM
    Friday, February 01, 2013 7:27 PM
  • so you have the answer to an almost 3 year old thread ?!?!?!?!

    Friday, February 01, 2013 10:26 PM