none
New sub CA doesnt show published templates RRS feed

  • Question

  • I have installed a new enterprise sub CA. There are two existing CAs there already. When I publish the templates that this CA should issue certificates from, they will not show on the client/server. I have tried different users and I have also removed the client certificate cache, so this is not the problem.

    There is also an enrollment web service policy installed in the AD. I am wondering if this has some influence on what is happening here. Should this be configured to allow templates to be published properly? You see the only templates that are shown are some internal web server certificates.


    Wednesday, September 26, 2018 1:22 PM

Answers

  • Finally found the solution to this. the problem was that every server in the domain had information of the enrollment policy server through a gpo. I blocked inheritance on the particular OU where my member server was and everything worked. Instead of the policy "domain Issuing CAs" I got the default active Directory enrollment policy. Could then choose to enroll a certificate based on the wanted template from the New sub CA.

    What I have to do next is to setup an enrollment server(CES/CEP) for my new CA, because they are dedicated to a CA, meaning a CA can have several enrollment servers, but an enrollment server can only serve one CA. The attribute msPKI-Enrollment-Servers on the CA configures this.

    After that I have to add the enrollment to the policy "Domain Issuing CAs" and unblock inheritance  

     

    • Marked as answer by ekspert68 Thursday, October 18, 2018 10:53 AM
    Thursday, October 18, 2018 10:53 AM

All replies

  • I have not been able to figure out this problem. The templates is not showing although both Client and user have permissions on both the New subCA and the templates.

    I can see only a handful of templates, and none of the New ones I have made. Is there something that should be published on the New CA to make this work? I am stomped.

    Monday, October 8, 2018 12:58 PM
  • what values did you use for the certificate templates under the 'compatibility' tab?  This will influence the certificate version and potentially prevent them from being offered.
    Monday, October 8, 2018 1:33 PM
  • There a couple of things that aren't clear here. 

    First of all, you make certificate templates available by publishing them on your Issuing CA. The templates are present in AD after installing ADCS. You see these on the CA MMC by clicking on Certificate Templates in left pane. In the right pane you'll see the published templates for this CA. Right click on Certificate Templates, click Manage to see all available templates. On Windows Server 2016, for example, you'd see about 35 templates there. 

    The most critical part of this is making sure that proper permissions are assigned to the templates you publish. 

    Where is the "client/server" supposed to be seeing the templates? CA Web Enrollment page? Certificates MMC enrollment? Try to provide a bit more detail.

    This all assumes many things in your setup of your PKI. . .

    -bill

    Monday, October 8, 2018 9:12 PM
  • The values for compatibility are set to CA - Windows 2012R2 and Certificate recipient Windows 8.1/2012R2.

    The Clients are Windows servers with 2016 OS. They are supposed to be seeing the templates in certificates MMC enrollment.

    The templates have all the correct permissions and the CA itself has been given the correct permissions for the accounts to retreive certificates.

    I can also say that there are two enrollment policy servers in the AD and when going through the MMC to request certificates I get to choose this, nothing else.  I have been wondering if this has something to do with it. I havent dealt with policy servers before and I am thinking, ok we have a policy server, now where do I configure the templates and CAs allowed in the policy for clients?  

    I followed this link when troubleshooting. Although it is a bit old it is still valid. I get to the Query AD again With certutil -template and get the same handful of templates I see in the mmc.

    certutil -template 

    Name: ..... Issuing CAs
      Id: {............-A4F5-4268-B683-3DC024......}
      Url: https://CAwebserver1.domain.com/ADPolicyProvider_CEP_Kerberos/service.svc/CEP
    7 Templates:

      Template[0]:
      TemplatePropCommonName = .....ApplianceServerCertificateEV
      TemplatePropFriendlyName = .....ApplianceServerCertificateEV

      Template[1]:
      TemplatePropCommonName = .....ComputerCertificate
      TemplatePropFriendlyName = .....ComputerCertificate

      Template[2]:
      TemplatePropCommonName = .....ConfigMgrClientDistributionPointCertificate
      TemplatePropFriendlyName = .....ConfigMgrClientDistributionPointCertificate

      Template[3]:
      TemplatePropCommonName = .....ScomGatewayCertificate
      TemplatePropFriendlyName = .....ScomGatewayCertificate

      Template[4]:
      TemplatePropCommonName = .....ServerCertificate
      TemplatePropFriendlyName = .....ServerCertificate

      Template[5]:
      TemplatePropCommonName = .....WebServerCertificate
      TemplatePropFriendlyName = .....WebServerCertificate

      Template[6]:
      TemplatePropCommonName = .....WebServerCertificateEV
      TemplatePropFriendlyName = .....WebServerCertificateEV
    CertUtil: -Template command completed successfully.

    The problem is that the article states that when there is a template that you dont have permission to enroll you will get "Access denied". Here you wont even see the template. That could of course be due to different versions.

    All the templates visible are on one of the old issuing CAs.

    a dump of the pki reveals that ca03 doesnt have a web enrollment server configured.

    C:\Users\admuser>certutil -dump
    Entry 0:
      Name:                         `Domain Issuing CA01'
      Organizational Unit:          `'
      Organization:                 `'
      Locality:                     `'
      State:                        `'
      Country/region:               `'
      Config:                       `server1.domain.com\Domain Issuing CA01'
      Exchange Certificate:         `'
      Signature Certificate:        `'
      Description:                  `'
      Server:                       `server1.domain.com'
      Authority:                    `Domain Issuing CA01'
      Sanitized Name:               `Domain Issuing CA01'
      Short Name:                   `Domain Issuing CA01'
      Sanitized Short Name:         `Domain Issuing CA01'
      Flags:                        `1'
      Web Enrollment Servers:
    1
    2
    0
    https://CAwebserver1.domain.com/Domain%20Issuing%20CA01_CES_Kerberos/service.svc/CES
    0

    Entry 1:
      Name:                         `Domain Issuing CA02'
      Organizational Unit:          `'
      Organization:                 `'
      Locality:                     `'
      State:                        `'
      Country/region:               `'
      Config:                       `server2.domain.com\Domain Issuing CA02'
      Exchange Certificate:         `'
      Signature Certificate:        `'
      Description:                  `'
      Server:                       `server2.domain.com
      Authority:                    `Domain Issuing CA02'
      Sanitized Name:               `Domain Issuing CA02'
      Short Name:                   `Domain Issuing CA02'
      Sanitized Short Name:         `Domain Issuing CA02'
      Flags:                        `1'
      Web Enrollment Servers:
    1
    2
    0
    https://CAwebserver2.domain.com/Domain%20Issuing%20CA02_CES_Kerberos/service.svc/CES
    0

    Entry 2:
      Name:                         `Domain Issuing CA03'
      Organizational Unit:          `'
      Organization:                 `'
      Locality:                     `'
      State:                        `'
      Country/region:               `'
      Config:                       `server3.domain.com\Domain Issuing CA03'
      Exchange Certificate:         `'
      Signature Certificate:        `'
      Description:                  `'
      Server:                       `server3.domain.com
      Authority:                    `Domain Issuing CA03'
      Sanitized Name:               `Domain Issuing CA03'
      Short Name:                   `Domain Issuing CA03'
      Sanitized Short Name:         `Domain Issuing CA03'
      Flags:                        `1'
      Web Enrollment Servers:       `'
    CertUtil: -dump command completed successfully.

    • Edited by ekspert68 Wednesday, October 10, 2018 7:50 AM added info
    Tuesday, October 9, 2018 7:42 AM
  • Finally found the solution to this. the problem was that every server in the domain had information of the enrollment policy server through a gpo. I blocked inheritance on the particular OU where my member server was and everything worked. Instead of the policy "domain Issuing CAs" I got the default active Directory enrollment policy. Could then choose to enroll a certificate based on the wanted template from the New sub CA.

    What I have to do next is to setup an enrollment server(CES/CEP) for my new CA, because they are dedicated to a CA, meaning a CA can have several enrollment servers, but an enrollment server can only serve one CA. The attribute msPKI-Enrollment-Servers on the CA configures this.

    After that I have to add the enrollment to the policy "Domain Issuing CAs" and unblock inheritance  

     

    • Marked as answer by ekspert68 Thursday, October 18, 2018 10:53 AM
    Thursday, October 18, 2018 10:53 AM