Templates not showing in Web enrollment

G

Gunna

I have a problem where I seem to add a template into the Certificate
Templates folder on my Root CA but it doesnt show up on the web enrollment
server. I have a theory that this might be becuase the Root CA is an
Enterprise CA and the issuing server running web enrollment is a standalone
CA. Setup this way for "security" reasons and i was lucky to inherit. Is
this the reason? if so how do i get those templates copied over to the web
enrollment server?
 
B

Brian Komar \(MVP\)

If you are connecting to the issuing CA, then the Web Enrollment will only
show the certificates available at *that* CA.
A standalone CA does not use certificate templates, hence you do not see any
when you connect.
On a different front, your CA infrastructure is pretty screwed up.
Traditionally, the root would be an offline CA (based on a standalone CA).
The issuing CA would be a subordinate enterprise CA.
Brian

"Gunna" <Gunna@discussions.microsoft.com> wrote in message
news:0D57522A-AD34-407E-92C4-7A70D5185BA6@microsoft.com...
>I have a problem where I seem to add a template into the Certificate
> Templates folder on my Root CA but it doesnt show up on the web enrollment
> server. I have a theory that this might be becuase the Root CA is an
> Enterprise CA and the issuing server running web enrollment is a
> standalone
> CA. Setup this way for "security" reasons and i was lucky to inherit. Is
> this the reason? if so how do i get those templates copied over to the
> web
> enrollment server?
 
G

Gunna

Brian,

Thanks for the reply. yes your are right it is screwed up. But I must
correct myself. Like I said I inherited it and was told thats how it is.
However after digging out some doco I found that the Root CA is a standalone
after all. Is there a way I can look at the console and tell this or not?

Further to that I found that the CA running web enrollment is an Enterprise
and as a result you can see the Certificates tempates in the MMC. The
problem is when I add a new template to publish it just doesnt appear in the
Web enrollment form.
 
G

Gunna

Hold the phone Brian,

I just tried something and got a strange result. Here are the templates I
have in the MMC:
Web Server
Web Server Certificate
SSL Certificate
RAS and IAS Server
EFS Recovery Agent
Subordinate Certification Authority

Now if I go into Webenrollment and click Request a Certificate it goes
straight into the "Advanced Certificate Request" page where I can:
Create and Submit and request
Submit a certificate request by using base-64- blah blah
Request a certificate for a smart card blah blah

I click the "Create and Submit and request" and the only template option I
have is the SSL Certificate. Now If I add a new template like a Basic EFS
then Basic EFS and SSL are now available.

If I go to "Submit a certificate request by using base-64- blah blah" again
only SSL and Basic EFS are availabel templates

Why aren't the others available?


"Gunna" wrote:

> Brian,
>
> Thanks for the reply. yes your are right it is screwed up. But I must
> correct myself. Like I said I inherited it and was told thats how it is.
> However after digging out some doco I found that the Root CA is a standalone
> after all. Is there a way I can look at the console and tell this or not?
>
> Further to that I found that the CA running web enrollment is an Enterprise
> and as a result you can see the Certificates tempates in the MMC. The
> problem is when I add a new template to publish it just doesnt appear in the
> Web enrollment form.
>
>
 
B

Brian Komar \(MVP\)

The other certificates are for computer certificates, and will not appear in
the Web form
When you request from the Web portal, the request is performed in the user's
context, not the computer's.
The only certificates that will appear are the certificates intended for
users or certificates where the subject name is provided in the request
(requiring user intervention)
So the RAS and IAS Server and SubCA certificates would require using the
Certificates MMC console focused on the local machine to request the
certificates

Brian

"Gunna" <Gunna@discussions.microsoft.com> wrote in message
news:FABFC48C-2490-4BC5-8FFE-6BA08BC4DE33@microsoft.com...
> Hold the phone Brian,
>
> I just tried something and got a strange result. Here are the templates I
> have in the MMC:
> Web Server
> Web Server Certificate
> SSL Certificate
> RAS and IAS Server
> EFS Recovery Agent
> Subordinate Certification Authority
>
> Now if I go into Webenrollment and click Request a Certificate it goes
> straight into the "Advanced Certificate Request" page where I can:
> Create and Submit and request
> Submit a certificate request by using base-64- blah blah
> Request a certificate for a smart card blah blah
>
> I click the "Create and Submit and request" and the only template option I
> have is the SSL Certificate. Now If I add a new template like a Basic EFS
> then Basic EFS and SSL are now available.
>
> If I go to "Submit a certificate request by using base-64- blah blah"
> again
> only SSL and Basic EFS are availabel templates
>
> Why aren't the others available?
>
>
> "Gunna" wrote:
>
>> Brian,
>>
>> Thanks for the reply. yes your are right it is screwed up. But I must
>> correct myself. Like I said I inherited it and was told thats how it is.
>> However after digging out some doco I found that the Root CA is a
>> standalone
>> after all. Is there a way I can look at the console and tell this or
>> not?
>>
>> Further to that I found that the CA running web enrollment is an
>> Enterprise
>> and as a result you can see the Certificates tempates in the MMC. The
>> problem is when I add a new template to publish it just doesnt appear in
>> the
>> Web enrollment form.
>>
>>
 
G

Gunna

Brian,

Makes sense thanks. Whats the best way to determine if a cert is for a user
or computer? Also do you know if there is a spot i can look to see if a CA
is a Standalone or a Enterprise CA?

Thanks.



"Brian Komar (MVP)" wrote:

> The other certificates are for computer certificates, and will not appear in
> the Web form
> When you request from the Web portal, the request is performed in the user's
> context, not the computer's.
> The only certificates that will appear are the certificates intended for
> users or certificates where the subject name is provided in the request
> (requiring user intervention)
> So the RAS and IAS Server and SubCA certificates would require using the
> Certificates MMC console focused on the local machine to request the
> certificates
>
> Brian
>
> "Gunna" <Gunna@discussions.microsoft.com> wrote in message
> news:FABFC48C-2490-4BC5-8FFE-6BA08BC4DE33@microsoft.com...
> > Hold the phone Brian,
> >
> > I just tried something and got a strange result. Here are the templates I
> > have in the MMC:
> > Web Server
> > Web Server Certificate
> > SSL Certificate
> > RAS and IAS Server
> > EFS Recovery Agent
> > Subordinate Certification Authority
> >
> > Now if I go into Webenrollment and click Request a Certificate it goes
> > straight into the "Advanced Certificate Request" page where I can:
> > Create and Submit and request
> > Submit a certificate request by using base-64- blah blah
> > Request a certificate for a smart card blah blah
> >
> > I click the "Create and Submit and request" and the only template option I
> > have is the SSL Certificate. Now If I add a new template like a Basic EFS
> > then Basic EFS and SSL are now available.
> >
> > If I go to "Submit a certificate request by using base-64- blah blah"
> > again
> > only SSL and Basic EFS are availabel templates
> >
> > Why aren't the others available?
> >
> >
> > "Gunna" wrote:
> >
> >> Brian,
> >>
> >> Thanks for the reply. yes your are right it is screwed up. But I must
> >> correct myself. Like I said I inherited it and was told thats how it is.
> >> However after digging out some doco I found that the Root CA is a
> >> standalone
> >> after all. Is there a way I can look at the console and tell this or
> >> not?
> >>
> >> Further to that I found that the CA running web enrollment is an
> >> Enterprise
> >> and as a result you can see the Certificates tempates in the MMC. The
> >> problem is when I add a new template to publish it just doesnt appear in
> >> the
> >> Web enrollment form.
> >>
> >>
>
 
You must log in or register to reply here.

Similar threads

W
Can I sign a CSR with my CA without any templates? Windows server 2019
Replies
0
Views
56
whye keat foo
W
P
SCEP Certificate enrollment initialization for local system in event viewer.
Replies
0
Views
5
Peter Bachman1
P
A
CA: Using Custom Templates
Replies
0
Views
51
avilt
A
N
Enrollment of certificate producing error 0x800706be
Replies
0
Views
28
Nicholas Farmer
N
S
When issuing Enterprise Root-CA, it shows "Active Directory Certificate Services could not connect to Global Catalog Server"
Replies
0
Views
38
Samuel_TRX
S
Back
Top Bottom