locked
ADCS Installation (Part 5): How to publish certificate template after installing the Issuing CA with LoadDefaultTemplates=0 RRS feed

  • Question

  • Hello,
    I have installed ADCS on offline root CA and online issuing CA with LoadDefaultTemplates=0 in the CAPolicy.inf. Both servers are Windows Server 2008 R2.

    AS result, there are no default certificate templates on my issuing CA server.

    Can I publish some of the default certificate templates by using the following instruction?

    ****************************************************

    Publishing a Certificate Template

    The final task for publishing a certificate template is to select the template you want the CA to issue.

    To define which certificate templates are issued by a CA
    1. In Administrative Tools, click Certification Authority .

    2. In the console tree, expand CAName (where CAName is the name of your enterprise CA).

    3. In the console tree, select the Certificate Templates container.

    4. In the Enable Certificate Templates dialog box, select the certificate template or templates that you want the CA to issue, and then click OK .

    ****************************************************

    I will check this next week.

    Is there a setting with certutil options to re-enable all default certificate templates?
    Of course, I can use the following command to add one by one:
    certutil -SetCAtemplates +User
    certutil -SetCAtemplates +Machine
    ...

    May I assume those commands work on Windows Server 2008 R2?

    Thanks,

    SJJ123



    Saturday, January 23, 2010 1:11 AM

Answers

  • Be aware that StandAlone CA don't use ertificate templates, so these command wouldn't work on Standalone CA.

    > Is there a setting with certutil options to re-enable all default certificate templates?

    no. You will need to manually reenable all necessary templates.

    > May I assume those commands work on Windows Server 2008 R2?

    yes. Command syntax haven't changed since Windows Server 2003.
    http://www.sysadmins.lv
    • Marked as answer by SJJ123 Monday, January 25, 2010 9:42 AM
    Saturday, January 23, 2010 8:21 AM

All replies

  • Be aware that StandAlone CA don't use ertificate templates, so these command wouldn't work on Standalone CA.

    > Is there a setting with certutil options to re-enable all default certificate templates?

    no. You will need to manually reenable all necessary templates.

    > May I assume those commands work on Windows Server 2008 R2?

    yes. Command syntax haven't changed since Windows Server 2003.
    http://www.sysadmins.lv
    • Marked as answer by SJJ123 Monday, January 25, 2010 9:42 AM
    Saturday, January 23, 2010 8:21 AM
  • Hi Vadims,
    Thank you very much.

    I have also checked the Certification Authority utiltiy and I can see all default cetificate tempaltes which can be enabled.

    Therefore, I think both the Certification Authority utiltiy and the command line should allow me to enable default certificate templates.

    Kind regards,

    SJJ123
    Monday, January 25, 2010 9:45 AM
  • hmm, you're right. Check it now:
    certutil -installdefaulttemplates

    http://www.sysadmins.lv
    Monday, January 25, 2010 9:49 AM
  • hmm, you're right. Check it now:
    certutil -installdefaulttemplates

    http://www.sysadmins.lv

    Sorry but this will not accomplish what SJJ123 is trying to do. In his case, the default certificate templates are available in the Configuration naming context, he simply suppressed publishing the certificate templates that are normally published at an Enterprise CA.
    Certutil -installdefaulttemplates will create the Certificate Templates and or OID containers in the Configuration naming context, it will not also publish the default certificate templates at an Enterprise CA.

    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, January 25, 2010 10:08 AM
  • I never had used this command. Looks like the only one way is to publish them manually through -setcatemplates parameter. :(
    http://www.sysadmins.lv
    Monday, January 25, 2010 10:52 AM
  • I never had used this command. Looks like the only one way is to publish them manually through -setcatemplates parameter. :(

    Or, better yet, if one actually wants the default templates published in the first place, don't use the LoadDefaultTemplates=0 option.
    Paul Adare CTO IdentIT Inc. ILM MVP
    Monday, January 25, 2010 10:56 AM
  • Thank Paul.

    Of course, if I re-install my Certificate Services again, I will not use the LoadDefaultTemplates=0 option on my online issuing CA.

    I will use the Certification Authority utility to re-enable the default certificate templates.

    Regards,

    SJJ123
    Monday, January 25, 2010 12:39 PM