none
How come I can't renew a certificate via the MMC but it works in IIS? RRS feed

  • Question

  • On a Windows Server 2003 SP2 I am trying to renew a Web Server certificate from a copy of the default template.  When I try to renew it from the MMC Certificates snap in I get a permissions error but when I launch IIS Manager I can renew it using it.  In both cases I am logged on as a Domain Admin, and yes the Domain Admins have enroll (actually full permission) on this template.  Please explain.
    Wednesday, May 23, 2012 8:22 PM

Answers

  • On a Windows Server 2003 SP2 I am trying to renew a Web Server certificate from a copy of the default template.  When I try to renew it from the MMC Certificates snap in I get a permissions error but when I launch IIS Manager I can renew it using it.  In both cases I am logged on as a Domain Admin, and yes the Domain Admins have enroll (actually full permission) on this template.  Please explain.

    1) you can't use IIS manager to enroll/renew SSL certificate based on a custom template. Only default WebServer template is supported.

    2) for computer templates you MUST assign permissions (Read/Enroll) to..computer accounts!


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Thursday, May 24, 2012 5:11 AM

All replies

  • What is the exact error that you see when you try to renew through mmc snap-in?
    Also, just to make sure: did you start the cert manager snap-in as an elevated user?

    Thanks,
    Andrew

    Wednesday, May 23, 2012 11:22 PM
  • On a Windows Server 2003 SP2 I am trying to renew a Web Server certificate from a copy of the default template.  When I try to renew it from the MMC Certificates snap in I get a permissions error but when I launch IIS Manager I can renew it using it.  In both cases I am logged on as a Domain Admin, and yes the Domain Admins have enroll (actually full permission) on this template.  Please explain.

    1) you can't use IIS manager to enroll/renew SSL certificate based on a custom template. Only default WebServer template is supported.

    2) for computer templates you MUST assign permissions (Read/Enroll) to..computer accounts!


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Windows PKI reference: on TechNet wiki

    Thursday, May 24, 2012 5:11 AM
  • Hi,
     
    How are things going? I just want to check the status of the issue. If you have any update or concern, please feel free to let us know.
     
    Best Regards,
    Aiden

    Aiden Cao

    TechNet Community Support

    Friday, May 25, 2012 1:28 AM
    Moderator