none
Certificate Authority - Custom Temp not showing up. W2k8R2ent

    Question

  • Hi Guys,

    Couldn't see a forum for CA so I had to post it here. Hopefully its the right place.

    (Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise)

    So here's the issue I am trying to create and export certificate for other users (eobo).

    It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template.

    The new template CopyOfUser i changed(of confirmed) following settings:-

    General Tab = Publish Cert in Active Directory

    Request Handling = Allow private key to be exported & Enroll subject without req any input

    Security : I am logging as domain administrator and it has  Read/Write/Enroll

    Issurance Req: This number of authorized signature = 1

    & Application Policy & Client Authentication.

    Subject Name : Build from AD (Fully Distinguished name)

    Selected boxes : Include email name / Email name / UPN

    Now problem is i cannot see the custom template on Enable Certificate Templates.

    I am very new to CA so I am sure i am missing something or doing something wrong.

    Would love some help.


    Friday, October 21, 2011 5:09 PM

Answers

  • Hi,

    I would suggest as it would be easier and quicker to start from scratch and keep in mind the above suggestions. And most of all do not make ant CA tweaks or advanced configurations before being sure the default setup works as expected. 

     

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by Bruce-Liu Friday, October 28, 2011 5:13 PM
    Monday, October 24, 2011 5:23 PM

All replies

  • Can you see any other v2 or v3 (custom) templates (the Workstation Authentication is a v2 template)?

    If you can not see any v2 templates try the following commands:

     

    certutil -setreg ca\setupstatus +512

    net stop certsvc & net start certsvc

     

    /Hasain

    Friday, October 21, 2011 5:23 PM
  • Hi,

    The users or computer objects for which you want to issue the certificate must be included in the certificates permissions (right click on the template > properties > security)

    After you create a custom template you must also make it available for enroll. Go to

    [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and lesect the certificate you want to make available.Restart the CA..

    What error do you get when you want to issue the certificate with certreq?

     

    What error do  you get?

     

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

     

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com


    Friday, October 21, 2011 5:33 PM
  • I really dont know how to check the versions. So I ran the command any how below is the result.


    Old Value:
      SetupStatus REG_DWORD = 1
        SETUP_SERVER_FLAG -- 1

    New Value:
      SetupStatus REG_DWORD = 201 (513)
        SETUP_SERVER_FLAG -- 1
        SETUP_UPDATE_CAOBJECT_SVRTYPE -- 200 (512)
    CertUtil: -setreg command completed successfully.

    And restarted the services. And went into the CA to enable the template and I still cannot see it.

    ===============

    Alright so when I do show all templates from eobo wizard I see the following information :-

    Status: Unavailable

    CopyofUser : The template is missing a required signature policy attribute. You do not have permission to view this type of certificate.

    ================

    I am logged in at domain\administrator

    • Edited by EvilWasp Friday, October 21, 2011 5:38 PM
    Friday, October 21, 2011 5:33 PM
  • > Subject Name : Build from AD (Fully Distinguished name)

    afaik you need to switch it to "Supply in request".


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki
    Changed it to Supply in Request and restarted services. Still doesnt show up in enable cert.
    Friday, October 21, 2011 5:42 PM
  • Hi,

    The users or computer objects for which you want to issue the certificate must be included in the certificates permissions (right click on the template > properties > security)

    After you create a custom template you must also make it available for enroll. Go to

    [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and lesect the certificate you want to make available.Restart the CA..

    What error do you get when you want to issue the certificate with certreq?

     

    What error do  you get?

     

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

     

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com



    Alright so I created the duplicate cert from user template. In Security tab for the custom temp I have authenticated users there with Read/Enroll and I gave them Autoenroll as well thinking that might be it.

    Problem is i cannot make that template available. I do not see here :-

    [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make available.Restart the CA..

    Friday, October 21, 2011 5:52 PM
  • Hi,

    You do not find the option or you do not see the template in the list of templates when you navigate to the option below:

    [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make available.Restart the CA..

     You will not have this opion if you are running CA on Windows Server 2008 Standard Edition or if You have selected Standart CA during setup. Have you selected  Enterprise CA during the Role wizard setup?

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com

    Friday, October 21, 2011 5:58 PM
  • Hi,

    You do not find the option or you do not see the template in the list of templates when you navigate to the option below:

    [MMC > certificate authority snapin > <nameOfYourCA> certificate templates > right click > new > certificate template to issue] and select the certificate you want to make available.Restart the CA..

     You will not have this opion if you are running CA on Windows Server 2008 Standard Edition or if You have selected Standart CA during setup. Have you selected  Enterprise CA during the Role wizard setup?

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com

    Well I dont see it in the list to Enable the Custom Certificate.

    I really dont remember but I believe it's Enterprise as I can see from Server Manager (Active Directory Certificate Services - Enterprise PKI).

    Friday, October 21, 2011 6:02 PM
  • Hi,

    Run [certutil –CAInfo] and check the [CA Type]. What does it say?

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com

    Friday, October 21, 2011 6:04 PM
  • Hi,

    Run [certutil –CAInfo] and check the [CA Type]. What does it say?

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com


    CA type: 0 -- Enterprise Root CA
        ENUM_ENTERPRISE_ROOTCA -- 0
    CA cert count: 1
    Friday, October 21, 2011 6:08 PM
  • Hi,

    I think you problem is the setting:

     ----------------

    Issurance Req: This number of authorized signature = 1

    & Application Policy & Client Authentication.

    ----------------

     Start by duplicating an default template . Jut duplicate it do not make any changes. Take “Web Server” default template. Duplicate it. Try to see if you are going to see it under “certificate templates > RightKlick > new > certificate template to issue]

     

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

     Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com

    Friday, October 21, 2011 6:16 PM
  • Hi,

    I think you problem is the setting:

     ----------------

    Issurance Req: This number of authorized signature = 1

    & Application Policy & Client Authentication.

    ----------------

     Start by duplicating an default template . Jut duplicate it do not make any changes. Take “Web Server” default template. Duplicate it. Try to see if you are going to see it under “certificate templates > RightKlick > new > certificate template to issue]

     

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

     Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com


    Just tried that it doesnt show up either. Steps I did:-

    Duplicated "Web Server" template. Didnt change anything. Went to see if i can enable the duplicate template and its not showing in the list.

    I created another duplicate and changed the setting inside to publish in active directory. Same issue doesnt show up in the list.

    Note: When I duplicate it prompts me for Windows 2003 or Windows 2008 versions. I created two one for 2003 and for 2008 none of them came up.

     

    Friday, October 21, 2011 6:25 PM
  • Hi,

    I’d suggest if the steps below doesn’t help to remove the CA. Make sure you are using Enterprise Edition (no upgrade from 2K3 or 2K9 standart) of windows and install it again as Enterprise Root CA. Check and see if you still have the issue before tweaking the CA further:

     

    Open ADUC and check navigate to [Buildin > users > properties > members] and make sure the fallowing security groups are present.

      - Authenticated users

     - Domain Users

     - Interactive

     

    Open ADSI Edit and navigate to

    [Domain Naming context > DC=<DomainNAme>, DC=<DomainNAme> > CN=Users > CN=Cert Publishers > properties > security ]

     and give [Read] and [write]

    permissions to [Authenticated users] group

    Restart the CA.

     

     

    Check permissions on the CA:

    Open the [Certificate Authority] console and right click on [properties > Security] and add the fallowing permissions:

     

    [Authenticated Users]

    [V] Request Certificates

     

    [Domain Admins]

    [V] Read

    [V] Issue and Manager Certificates

    [V] Manage CA

    [V] Request Certificates

     

    [Enterprise Admins]

    [V] Issue and Manager Certificates

    [V] Manage CA

     

    [Administrators]

    [V] Issue and Manager Certificates

    [V] Manage CA

    [V] Request Certificates

     

    [Domain Controllers]

    [V] Read

    [V] Issue and Manager Certificates

    [V] Manage CA

    [V] Request Certificates

     

    [Domain Computers]

    [V] Read

    [V] Request Certificates

     

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

     

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com



    Friday, October 21, 2011 6:41 PM
  • Before digging deep into the troubleshooting suggestions by Spas Kaloferov, please note that adding/publishing a template to an enterprise CA does not involve DCOM or certificate publisher settings and permissions.

    The minimum requirements are that the CA server has read permissions on the template it self and that the version of the operating system of the CA server is either 2003 Ent Ed, 2008 Ent Ed or 2008R2 Std Ed.

    /Hasain

    Friday, October 21, 2011 7:07 PM
  • Can you describe more about your setup? Is the CA installed on the same server as your DC or do you have different servers?

    /Hasain

    Friday, October 21, 2011 7:10 PM
  • Hi,

    What does these both options say:

    Certificate authority snapi in > CertificateAuthorityName > right click > properties :

    a) Certificate Managers

    b) Enrollment agents

    If enabled try setting them to "Do not restrict ..." and restart the CA.

     

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

     

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com



    Friday, October 21, 2011 7:19 PM
  • Can you describe more about your setup? Is the CA installed on the same server as your DC or do you have different servers?

    /Hasain


    Well its a test domain. I have it setup with one server (AD / ADCS / Exchange 2010) everything is on one server and no replication is envoled. Setup is pretty much out of the box with next next next stuff. I can do the enroll on behalf off just fine for other users. I can get certs with private key exported.

    All I need now is to try the EOBO manually for that its suggested that you create a template.

    Friday, October 21, 2011 7:23 PM
  • Can you confirm the version of the CA server operating system is 2008R2 Enterprise Edition?

    Can your provide the output of the command: certutil -adtemplate

    Can you try to add/publish the template named "Workstation Authentication" to your CA?

    /Hasain

    Friday, October 21, 2011 7:39 PM
  • CA installed on Windows 2008 R2 Enterprise Sp1.

    I do not see Workstation Authentication either on the enable template list.

    I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator.

    I am leaning towards bad configuration or wrong initial setup.

    ============================================

    C:\Users\Administrator>certutil -adtemplate
    Administrator: Administrator -- Auto-Enroll: Access is denied.
    CA: Root Certification Authority -- Auto-Enroll: Access is denied.
    CAExchange: CA Exchange -- Auto-Enroll: Access is denied.
    CEPEncryption: CEP Encryption -- Auto-Enroll: Access is denied.
    ClientAuth: Authenticated Session -- Auto-Enroll: Access is denied.
    CodeSigning: Code Signing -- Auto-Enroll: Access is denied.
    Copy of User: Copy of User -- Auto-Enroll
    Copy of Web Server: Copy of Web Server -- Auto-Enroll: Access is denied.
    CrossCA: Cross Certification Authority -- Auto-Enroll: Access is denied.
    CTLSigning: Trust List Signing -- Auto-Enroll: Access is denied.
    DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied.
    DomainController: Domain Controller -- Auto-Enroll: Access is denied.
    DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll:Access is denied.
    EFS: Basic EFS -- Auto-Enroll: Access is denied.
    EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied.
    EnrollmentAgent: Enrollment Agent -- Auto-Enroll: Access is denied.
    EnrollmentAgentOffline: Exchange Enrollment Agent (Offline request) -- Auto-Enroll: Access is denied.
    ExchangeUser: Exchange User -- Auto-Enroll: Access is denied.
    ExchangeUserSignature: Exchange Signature Only -- Auto-Enroll: Access is denied.IPSECIntermediateOffline: IPSec (Offline request) -- Auto-Enroll: Access is denied.
    IPSECIntermediateOnline: IPSec -- Auto-Enroll: Access is denied.
    KerberosAuthentication: Kerberos Authentication -- Auto-Enroll: Access is denied
    KeyRecoveryAgent: Key Recovery Agent -- Auto-Enroll: Access is denied.
    Machine: Computer -- Auto-Enroll: Access is denied.
    MachineEnrollmentAgent: Enrollment Agent (Computer) -- Auto-Enroll: Access is denied.
    OCSPResponseSigning: OCSP Response Signing -- Auto-Enroll: Access is denied.
    OfflineRouter: Router (Offline request) -- Auto-Enroll: Access is denied.
    RASAndIASServer: RAS and IAS Server -- Auto-Enroll: Access is denied.
    SmartcardLogon: Smartcard Logon -- Auto-Enroll: Access is denied.
    SmartcardUser: Smartcard User -- Auto-Enroll: Access is denied.
    SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied.
    User: User -- Auto-Enroll: Access is denied.
    UserSignature: User Signature Only -- Auto-Enroll: Access is denied.
    WebServer: Web Server -- Auto-Enroll: Access is denied.
    Workstation: Workstation Authentication -- Auto-Enroll: Access is denied.
    CertUtil: -ADTemplate command completed successfully.

    ============================================

     

    Friday, October 21, 2011 7:55 PM
  • On Fri, 21 Oct 2011 19:55:33 +0000, EvilWasp wrote:

    I do not see Workstation Authentication either on the enable template list.

    I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator.

    I am leaning towards bad configuration or wrong initial setup.

    ============================================

    C:\Users\Administrator>certutil -adtemplate

    Have you by any chance removed Authenticated Users Read permission from
    your certificate templates? If so, then you either need to add that back,
    or add READ for the CA's computer account to all of the templates.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    One person's error is another person's data.

    Friday, October 21, 2011 8:44 PM
  • Hi,

    Have you checked the above?

     

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Saturday, October 22, 2011 9:32 PM
  • Hi,

    What does these both options say:

    Certificate authority snapi in > CertificateAuthorityName > right click > properties :

    a) Certificate Managers

    b) Enrollment agents

    If enabled try setting them to "Do not restrict ..." and restart the CA.

     

    Will appreciate if you give feedback if this has helped you. If yes please select “Mark as answer”.

     

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com




    When I do properties i dont see any of them. I see following tabs :-

    General - Policy Module - Exit Module - Extensions - Storage - Auditing - Security

    Let me know how can i check it.

    Monday, October 24, 2011 3:02 PM
  • On Fri, 21 Oct 2011 19:55:33 +0000, EvilWasp wrote:

    I do not see Workstation Authentication either on the enable template list.

    I see access denied which probably is not a good sign so I made sure I am logged in at domain\administrator. By logging off and logging back in with administrator.

    I am leaning towards bad configuration or wrong initial setup.

    ============================================

    C:\Users\Administrator>certutil -adtemplate

    Have you by any chance removed Authenticated Users Read permission from
    your certificate templates? If so, then you either need to add that back,
    or add READ for the CA's computer account to all of the templates.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    One person's error is another person's data.

    Never moved Authenticated users just added AutoEnroll to it. Now the setting for Authenticated Users security is Read / Enroll / AutoEnroll.
    Monday, October 24, 2011 3:29 PM
  • Hi,

    I would suggest as it would be easier and quicker to start from scratch and keep in mind the above suggestions. And most of all do not make ant CA tweaks or advanced configurations before being sure the default setup works as expected. 

     

    Best Regards,

    Spas Kaloferov

    [ MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14  ]

    NetShell Services & Solutions | “Design the future with simplicity and elegance”

    Visit me at: www.spaskaloferov.com | www: www.netshell-solutions.com


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by Bruce-Liu Friday, October 28, 2011 5:13 PM
    Monday, October 24, 2011 5:23 PM
  • I ran into the same problem recently on a CA that was migrated from 2008 R2 to 2012. I followed the Microsoft documentation to migrate to a new CA and everything worked up to the point where I tried to add the new template to the CA Templates folder. It just wouldn't show up in the list of templates to choose from. I tried lots of things and finally found that powershell worked. I used Add-CATemplate and provided the name of the template I had created and voila! No errors and no fuss. It now shows up in the list of CA Templates that can be used to issue certificates. I'm not sure where the CA Console is getting the list of templates for adding from, but powershell is apparently looking in the correct location. So, use powershell Add-CATemplate if you ever run into this issue.
    Thursday, July 31, 2014 2:31 AM
  • That's odd as all tools have to look in Active Directory's configuration container for the list of available templates (Services / Public Key Services / Certificate Template). To publish a template means to add its common name of the list of templates of the respective Enrollmen Services object of that CA (Services / Public Key Services / Enrollment Services).

    The simplest explanation for a new template not showing up yet would be a delay in AD replication and different tools - such as certtmpl.msc versus Powershell - probably targeting different Domain Controllers.

    If this is persistent I would check the flags attribute of the Enrollment Services object (see e.g. this article, search for 'flags'). With migrations and upgrades done for earlier OS versions I had sometimes encountered that the target CA had a false attribute that effectively said it was not an Enterprise CA and therefore no templates other then the v1 types were displayed.

    Elke

    Thursday, July 31, 2014 10:29 AM