The problem is as follows:
I already have a 2003 (Ent. OS) based CA which is my Root Enterprise CA.
I wanna do POC of a security product on my production domain for which I need to issue certificates on tepmplate 'IP Sec (Offline Request)'. But this security product uses network enrollment so the CA for it has to be 2008 (on Enterprise OS). Also its clearly mentioned that this CA for this security product has to be ROOT CA (SUB won't work).
And I can't upgrade OS of my existing 2003 CA to 2008 due to some limitations.
Also I dont wanna build another parallel Root Enterprise CA (On 2008, as requirement) as-:
- I heard its not recommended to have multiple Enteroprise Root CAs
- Decommissioning of Enterprise CA (after POC) would be too cumbersome
This is what I did:
I created a new standalone ROOT CA server (on fresh Enterprise OS-2008 R2).
With this CA when I am trying to request a certificate I dont get option to request on template "IP SEC (Offline request)".
Following AD Enrollment Policy. It says- "The requested certificate template is not supported by this CA. A valid certificate authority(CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted"
(After checking "Show all Templates")
I can do:
"New->Certificate Template to Issue" on my 2003 Enterprise Root CA.
Is there any way to get this option on my new Standalone 2008 Certificate Authority?
Or any other option? If not, shall I consider building a parallel new 2008 Enterprise CA? What harm can it make to my existing application running with 2003 this CA Certs.
Any help with this matter would be highly appreciated. Thanks!
Thank you for your post.
I understand you need 2008 IPSec CA template to do POC in your Domain.
I suggest you to migrate CA from Windows 2003 to Windows 2008. It keeps your CA architecture and meets your POC requirement.
Here is Active Directory Certificate Services Migration Guide should be useful to you.
If there is any update on this issue, please feel free to let us know.