none
Windows Server 2012 R2 cannot issue new certificate template RRS feed

  • Question

  • I have a Windows Server 2012 R2 server that is in a domain, and is the root certificate authority.

    I have duplicated the web server template, without changing any permissions, and attempted to issue the cert to the CA by using:

    click on Action > New > Certificate Template to issue

    The template does not show in the Enable Certificate Templates dialog box.

    I have forced replication between my two domain controllers, and have also allowed 48 hours for AD to replicate with/without a forced replication.

    Still no luck.

    Has anyone run into this before?

    Wednesday, June 25, 2014 5:44 PM

Answers

  • Did you happen to run that on the CA itself or another computer? I'd like to verify that the CA can see the properly AD replication. 

    Also, take a look at the flag attribute on the Enrollment Services object under CN=Enrollment Services, CN=Public  Key Services, CN=Services, CN=Configuration,DC=<domainname> and the value should be 10 for an Enterprise CA.

    Lastly, have you tried duplicating another template and testing to see if that replicates?


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    • Proposed as answer by Mark B. Cooper Wednesday, June 25, 2014 7:27 PM
    • Marked as answer by netlander Wednesday, June 25, 2014 7:36 PM
    Wednesday, June 25, 2014 7:05 PM
  • The flag should be a 10. Was this CA upgraded from a previous OS? Change the value to 10 and restart ADCS.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    • Marked as answer by netlander Wednesday, June 25, 2014 7:36 PM
    Wednesday, June 25, 2014 7:18 PM

All replies

  • 1) Does the template show up when you do:

    certutil -adtemplate

    2) What permissions are on the template? Does Authenticate Users have Read permissions?


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Wednesday, June 25, 2014 6:49 PM
  • Yes, it shows

    TCCWebCert: TCC  Web Cert -- Auto-Enroll: Access is denied.

    Authenticated users: Read

    Myself: Read, Write, Enroll (Added as a troubleshooting measure)

    Server it will be installed on: Read, Enroll

    Domain admins, Read, Write, Enroll

    Domain Controllers, Read, Enroll (Added as a troubleshooting measure)

    Enterprise Admins: Read, Write, Enroll

    It is also a duplicate of the Web SErver Template.


    • Edited by netlander Wednesday, June 25, 2014 7:01 PM
    Wednesday, June 25, 2014 7:01 PM
  • Did you happen to run that on the CA itself or another computer? I'd like to verify that the CA can see the properly AD replication. 

    Also, take a look at the flag attribute on the Enrollment Services object under CN=Enrollment Services, CN=Public  Key Services, CN=Services, CN=Configuration,DC=<domainname> and the value should be 10 for an Enterprise CA.

    Lastly, have you tried duplicating another template and testing to see if that replicates?


    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    • Proposed as answer by Mark B. Cooper Wednesday, June 25, 2014 7:27 PM
    • Marked as answer by netlander Wednesday, June 25, 2014 7:36 PM
    Wednesday, June 25, 2014 7:05 PM
  • The Flags attribute is 2

    Yes, tried duplicating another template and no luck, however this problem seems to be recent. I had duplicated templates before, about 6 months ago, with no issue.

    Wednesday, June 25, 2014 7:15 PM
  • The flag should be a 10. Was this CA upgraded from a previous OS? Change the value to 10 and restart ADCS.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    • Marked as answer by netlander Wednesday, June 25, 2014 7:36 PM
    Wednesday, June 25, 2014 7:18 PM
  • The OS was originally 2012, but upgraded to 2012 R2 I believe before we duplicated the other templates.
    Wednesday, June 25, 2014 7:22 PM
  • Can you see any other V2 or higher templates in the Template picker on the CA? This would be something like Domain Controller Authentication or OCSP Response Signing? If not, then its not a template specific issue and the flag is set incorrectly.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Wednesday, June 25, 2014 7:25 PM
  • That fixed it, I'm going to take a guess you've run into that before.

    Also, for full disclosure, the vm had crashed, and we had to restore the CA from a backup (installed the OS, then restored CA from the CA backup.) That was months ago, sorry I didn't mention that before.

    Wednesday, June 25, 2014 7:26 PM
  • Its a known issue that we saw when I was at Microsoft so its been around for quite awhile and happens in various situations, since Server 2008. So you are not alone.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

    Wednesday, June 25, 2014 7:27 PM
  • Yes, I can see both of them, plus about 10 or so other higher level templates.
    Wednesday, June 25, 2014 7:30 PM
  • Thanks!!!!!!!
    Wednesday, June 25, 2014 7:36 PM