none
Standalone CA

    Question

  • Hi,

    The problem is as follows:

     

    Background:

    I already have a 2003 (Ent. OS) based CA which is my Root Enterprise CA.

    I wanna do POC of a security product on my production domain for which I need to issue certificates on tepmplate 'IP Sec (Offline Request)'. But this security product uses network enrollment so the CA for it has to be 2008 (on Enterprise OS). Also its clearly mentioned that this  CA for this security product has to be ROOT CA (SUB won't work).

    And I can't upgrade OS of my existing 2003 CA to 2008 due to some limitations.

    Also I dont wanna build another  parallel Root Enterprise CA (On 2008, as requirement) as-:

    - I heard its not recommended to have multiple Enteroprise Root CAs

    - Decommissioning of Enterprise CA (after POC) would be too cumbersome

    This is what I did:

    I created a new standalone ROOT CA server (on fresh Enterprise OS-2008 R2).

    With this CA when I am trying to request a certificate I dont get option to request on template "IP SEC (Offline request)".

     

    Following AD Enrollment Policy. It says- "The requested certificate template is not supported by this CA. A valid certificate authority(CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted"

    (After checking "Show all Templates")

    Question:

    I can do:

    "New->Certificate Template to Issue"  on my 2003 Enterprise Root CA.

    Is there any way to get this option on my new Standalone 2008 Certificate Authority?

     

    Or any other option? If not, shall I consider building a parallel new 2008 Enterprise CA? What harm can it make to my existing application running with 2003 this CA Certs.

     

    Any help with this matter would be highly appreciated. Thanks!

    Monday, May 30, 2011 4:34 PM

Answers

  • Hi Manish,

     

    A standalone CA cannot use templates. You need an enterprise CA for using templates.

     

    Kind regards,

    oblabla

    • Marked as answer by Manish Malik Tuesday, May 31, 2011 9:41 AM
    Tuesday, May 31, 2011 7:36 AM

All replies

  • Hi Manish,

    Thank you for your post.

    I understand you need 2008 IPSec CA template to do POC in your Domain.

    I suggest you to migrate CA from Windows 2003 to Windows 2008. It keeps your CA architecture and meets your POC requirement.
    Here is Active Directory Certificate Services Migration Guide should be useful to you.

    If there is any update on this issue, please feel free to let us know.


    Regards,
    Rick Tan
    Tuesday, May 31, 2011 4:21 AM
    Moderator
  • Thanks for your reply Rick.

    I just wanted to confirm, is that a limitation of standalone root CA that I am not able to add template (IPSEC - Offline) to it?

    Thanks!

    Regards,

    Manish Malik

    Tuesday, May 31, 2011 6:19 AM
  • Hi Manish,

     

    A standalone CA cannot use templates. You need an enterprise CA for using templates.

     

    Kind regards,

    oblabla

    • Marked as answer by Manish Malik Tuesday, May 31, 2011 9:41 AM
    Tuesday, May 31, 2011 7:36 AM
  • Thanks, I'll go with upgradation.
    Tuesday, May 31, 2011 9:41 AM