none
Viewing assigned certificate templates to a CA by using certutil command... RRS feed

  • Question

  • Hi all;

     

    When I execute the certutil –catemplates > templates.txt command, the following output appears in the template.txt file:

     

    DirectoryEmailReplication: Directory Email Replication -- Auto-Enroll: Access is denied.
    DomainControllerAuthentication: Domain Controller Authentication -- Auto-Enroll: Access is denied.
    EFSRecovery: EFS Recovery Agent -- Auto-Enroll: Access is denied.
    EFS: Basic EFS -- Auto-Enroll: Access is denied.
    DomainController: Domain Controller -- Auto-Enroll: Access is denied.
    WebServer: Web Server -- Auto-Enroll: Access is denied.
    Machine: Computer -- Auto-Enroll: Access is denied.
    User: User -- Auto-Enroll: Access is denied.
    SubCA: Subordinate Certification Authority -- Auto-Enroll: Access is denied.
    Administrator: Administrator -- Auto-Enroll: Access is denied.
    CertUtil: -CATemplates command completed successfully.

    Can anyone tell me what Auto-Enroll: Access is denied.   means?

     

    Thanks

     

     

    Monday, January 10, 2011 7:18 PM

Answers

  • this means that you (your user account) is not allowed to auto-enroll certificates based on certain template. If there is user template (intended for users, not computers) and your user account or the group has Read Enroll and Autoenroll permissions, Access Denied will disappear.
    http://en-us.sysadmins.lv
    • Marked as answer by R.Alikhani Tuesday, January 11, 2011 4:47 AM
    Monday, January 10, 2011 7:29 PM

All replies

  • this means that you (your user account) is not allowed to auto-enroll certificates based on certain template. If there is user template (intended for users, not computers) and your user account or the group has Read Enroll and Autoenroll permissions, Access Denied will disappear.
    http://en-us.sysadmins.lv
    • Marked as answer by R.Alikhani Tuesday, January 11, 2011 4:47 AM
    Monday, January 10, 2011 7:29 PM
  • I'm having the same problem and my user is a member of Enterprise and Domain admins. Any suggestions? Windows 2008 R2.
    Wednesday, May 20, 2015 2:31 PM
  • It is not a problem at all. All the command does is list the available templates at the CA.

    I typically ignore the permissions report.

    Other reasons for the error,

    - the account you are logged in is not a computer (the template is for computers)

    - Not autoenroll permissions are assigned on the template

    - The template requires CA Certificate manager approval

    Brian

    Thursday, May 21, 2015 2:17 AM