none
Windows 2008 Core Server - CA, how to set permissions on templates RRS feed

  • Question

  • using Certutil  how do i set permission on templates.  

    If I do a certutil -v -catemplates  all the templates show access denied.  This is a subCA but I cannot renew his cert.

    Wednesday, January 23, 2013 11:22 AM

Answers

All replies

  • you can install ADCS RSAT on any other machine and use Certificate Templates (certtmpl.msc) MMC snap-in to modify template permissions.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    • Proposed as answer by Vadims PodansMVP Wednesday, January 23, 2013 12:17 PM
    • Marked as answer by 朱鸿文 Wednesday, January 30, 2013 4:57 AM
    Wednesday, January 23, 2013 12:17 PM
  • using Certutil  how do i set permission on templates.  

    If I do a certutil -v -catemplates  all the templates show access denied.  This is a subCA but I cannot renew his cert.


    I see Vadims says to use the the GUI - how do you achieve this using PowerShell or using another console utility?

    Thomas Lee <DoctorDNS@Gmail.Com>

    Wednesday, February 27, 2013 9:35 AM
  • I'm not aware about built-in console tools. But you can try to use PowerShell PKI module: http://pspki.codeplex.com/wikipage?title=Get-CertificateTemplateAcl


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Wednesday, February 27, 2013 11:51 AM
  • That's a nice module, but I need to do this with a vanilla installation of Server - no 3rd party tools. :-(

    I have been trying to decode the Get-CertificateTemplateACL but haven't gotten very far. I've found the cert template in the DC, but can't quite work out programatically how to change the ACL. :-(


    Thomas Lee <DoctorDNS@Gmail.Com>

    Wednesday, February 27, 2013 11:53 AM
  • Just dump Get/Add/Remove/Set-CertificateTemplateAcl files and you will find how it works. There are no other ways, afaik and in most cases it is not necessary, because certificate template adjustment should be a separate step of PKI provisioning and I don't see any reasons why you can't use MMC UI.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Wednesday, February 27, 2013 12:07 PM
  • I concur with Vadims.

    Once you have your design done you never go back to reset certificate template permissions.

    Use a strategy of assigning Read, Enroll (and sometime Autoenroll) permissions to a custom Universal group (per template)

    Create one or more global groups (typically one per domain) and make them members of the universal group

    Just populate the global group with powershell when a new member is required

    Brian

    Wednesday, February 27, 2013 1:53 PM