Certificate Templates Folder Missing From Certification Authority Hierarchy

Y

YeskeJA

We have a Windows Server 2012 R2 Certification Authority (CA) that was deployed last year (not by me), and I've noticed several issues with it. The primary issue that I've found is that the Certificate Templates folder is missing from the hierarchy on the Certification Authority MMC Snap-In. The dropdown for Certificate Template selection is also missing from the ADCS Web Enrollment, Advanced Certificate Request pages.

I've verified that it was deployed as an Enterprise CA (entry present in Sites/Services), and I have made allowances to access the CA server with an Enterprise Admin account (RBAC / Separation of Duties deployed to prevent EAs from logging into Member Servers was enabled).

CA Server

  • Revoked Certificates
  • Issued Certificates
  • Pending Requests
  • Failed Requests
  • (Certificate Templates) <- This folder is missing.


I'm able to access Certificate Templates via an MMC, but there is no option/task to 'Certificate Template To Issue', thus we can get to the 'Enable Certificate Templates' dialog. I am also able to generate a certificate using the command line (below); however, it doesn't appear to use all aspects of the template (it hashes as SHA-1 as opposed to SHA-256 or SHA-512 (or whatever is selected in the template) and doesn't include the extension / Enhanced Key Usage for Server Authentication). The CA server has been rebooted several times since the 'Company Web Server' template has been updated, so I'm not sure why it's not using the correctly defined signature hashing algorithms from the template.

certreq -submit -attrib "CertificateTemplate:Company Web Server" <Path To .req File> <Path To Place .cer File>

I was hoping somebody could point me in the right direction with regards to troubleshooting permissions.

Continue reading...
 
Back
Top Bottom