none
No templates in Issuing CA Certificate Templates folder RRS feed

  • Question

  • (Windows 2008 SP2 Server with CA role)

    Certificate Templates snap-in

    There's nothing there!

    -->Other than a cert with the red circle with a white X over the lower left hand corner. Intended Purpose "Unknown".

    How do I populate this?

    By duplicating the certs?

    Did that in "Manage" tab of the Cert Templates console.

    Nothing appears in the Templates folder (and of course, no one can request a cert via the IIS interface either).

    I configured Security for the template I duplicated as follows:

    Auth. Users have Read, Enroll and AutoEnroll.

    I've turned SSL requirements off and on in the course of my troubleshooting (and do not see the effect it could have on the presence of the cert templates).

    Enterprise version of W2K8


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.



    Wednesday, February 29, 2012 4:37 AM

Answers

  • Hi

    If you've specified LoadDefaultTemplates=0 in your capolicy.inf file prior to installing the CA (as per the book), then the certifiate templates will NOT be enabled at the CA by default. They should be in AD OK & viewable via Certificate Templates mmc where you can duplicate and customise them prior to publishing. You can select to publish the default templates or just publish modified templates as you wish via the CA mmc.

    I've not installed a CA without LoadDefaultTemplates=0 so don't know the 2008 (R2) defaults, but as a best practice would suggest NEVER publishing by default - if auto enrollment is enabled anywhere in your domain GPO's then you could end up issuing certificates before you have finished configuring your CA!

    Cheers


    Douks

    • Proposed as answer by Douks Friday, March 2, 2012 9:15 PM
    • Marked as answer by David M (LePivert) Saturday, March 3, 2012 12:23 AM
    Friday, March 2, 2012 9:14 PM

All replies

  • Has this changed from Windows 2003 to Windows 2008?

    I would have *sworn* that with Windows 2003, you had about a half dozen common certificate templates available from the start: EFS, User, Web Server, etc..

    So with Windows 2008 there are NO certificate templates and you have to issue them manually?

    That's what I did after re-reading Brian Komar's PKI book, page 356.

    Now I have issued a couple certs that I can work with.

    The web server was able to request one.

    I'm going to research this a bit. I could be suffering from false memory syndrome or something, but I thought that with W2K3 CAs you had a couple of cert templates to "play" with right after installation of the CA and without additional user intervention.

    NOTE: I am talking about the Certificate Authority console, Certificate Templates subfolder.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.


    Thursday, March 1, 2012 2:48 PM
  • Here we go:

    http://i.technet.microsoft.com/dynimg/IC195872.gif

    This is what I recall from the W2K3 CA console. There were already some default certificate templates to work with, including... web server.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.



    Thursday, March 1, 2012 3:04 PM
  • Hi

    If you've specified LoadDefaultTemplates=0 in your capolicy.inf file prior to installing the CA (as per the book), then the certifiate templates will NOT be enabled at the CA by default. They should be in AD OK & viewable via Certificate Templates mmc where you can duplicate and customise them prior to publishing. You can select to publish the default templates or just publish modified templates as you wish via the CA mmc.

    I've not installed a CA without LoadDefaultTemplates=0 so don't know the 2008 (R2) defaults, but as a best practice would suggest NEVER publishing by default - if auto enrollment is enabled anywhere in your domain GPO's then you could end up issuing certificates before you have finished configuring your CA!

    Cheers


    Douks

    • Proposed as answer by Douks Friday, March 2, 2012 9:15 PM
    • Marked as answer by David M (LePivert) Saturday, March 3, 2012 12:23 AM
    Friday, March 2, 2012 9:14 PM
  • Yes, that's exactly what I have in my capolicy.inf file.

    When I briefly worked with certificate templates on a W2K3 CA years ago, I did not use the capolicy.inf file (only learned about it later when reading Brian Komar's PKI book). That probably explains the difference in behavior and my confusion upon observing the complete absence of any usable templates.

    Would be interesting to test with "1" and see what happens. But I can't right now.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Saturday, March 3, 2012 12:22 AM