none
Certificate does not show up in the Certificate types box when submitting a Certificate Request via the wizard in 2003. RRS feed

  • Question

  • I hope I can explain this.  OK on a Windows 2003 Server I am simply trying to request a web server certificate based on a copy I made of the default Web Server template with a few modifications.  The new one is called Something Windows Web Server.  So I open a Certificates MMC and go to Certificates (Local Computer) \ Personal \ Certificates and right click All Tasks \ Request New Certificate.  That launches the Certificate Request Wizard and I click Next then the Certificate Types box shows up and my certificate type\template is missing from there.  Is this a persmissions issue or something else?  I am logged in as a Domain Admin and Domain admins have Read, Write, Enroll, and Autoenroll permission.  And by the way I do see two other Certificate types/templates in that box that I created earlier last year, so I know I did it right at one point.  Please help to get this template to show up, and yes I did add it to the new template to issue.
    Thursday, February 23, 2012 10:01 PM

Answers

  • I would dare disagree. When you start the MMC console (although you select the Local Computer) on Windows 2003/XP - then the enrollment wizard connects to the authority under the logged-on user's identity, instead of the local computer account. This is in opposition to the behavior of Windows 2008/7, where the console enrolls under the local computer account (maybe more correctly).

    So granting the computer account Enroll would not solve the problem.

    I would bet it is just a matter of the Certificate Template Cache that does not refresh on the affected server. Just go into registry and delete the following key under both the HKLM and HKCU registry hives:

    Software/Microsoft/Cryptography/Certificate Template Cache

    and try the wizard again.

    ondrej.

    • Marked as answer by Bruce-Liu Monday, March 5, 2012 7:31 AM
    Saturday, February 25, 2012 2:48 PM

All replies

  • Give the computer object where you are trying to run the certificate request from Read and Enrol premissions on your "Something Windows Web Server" certificate template. Here is an example: http://technet.microsoft.com/en-us/library/ee649249(v=ws.10).aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Thursday, February 23, 2012 10:32 PM
  • Also make sure that there is at least one CA that is able to issue the template. It is not enough to just create the template, you must open the ca mmc snapin and select the "Templates" node. If your template is not on the right hand side then that ca cannot issue that particular template.  Right click on the templates node and choose the option to select a template to issue.

    Andrew

    Saturday, February 25, 2012 5:21 AM
  • I would dare disagree. When you start the MMC console (although you select the Local Computer) on Windows 2003/XP - then the enrollment wizard connects to the authority under the logged-on user's identity, instead of the local computer account. This is in opposition to the behavior of Windows 2008/7, where the console enrolls under the local computer account (maybe more correctly).

    So granting the computer account Enroll would not solve the problem.

    I would bet it is just a matter of the Certificate Template Cache that does not refresh on the affected server. Just go into registry and delete the following key under both the HKLM and HKCU registry hives:

    Software/Microsoft/Cryptography/Certificate Template Cache

    and try the wizard again.

    ondrej.

    • Marked as answer by Bruce-Liu Monday, March 5, 2012 7:31 AM
    Saturday, February 25, 2012 2:48 PM