Creating Site Server Signing Certificate Template

Eli · May 13, 2008

Windows 2008
IÃ¢â‚¬â„¢m trying to create a certificate by following directions from here:
http://technet.microsoft.com/en-us/library...BKMK_siteserver
Creating and Issuing the Site Server Signing Certificate Template on the
Certification Authority
On #15, I ran into problem, my server is standard edition I did an upgrade
to enterprise over standard (without reinstalling OS)
#15 In the Enable Certificate Templates dialog box, select the new template
you have just created, ConfigMgr Site Server Signing Certificate, and then
click OK.
I donÃ¢â‚¬â„¢t see the certificate template that I just created even after
upgrading to enterprise and redoing the template.
Any ideas/suggestions?

Miles Li [MSFT] · May 13, 2008

Hello,

Thanks for your post.

I'd like to know whether you receive the error message such as "The
template information on the CA cannot be modified at this time". If yes,
please verify the security on the certificate template whether the
Authenticated users has the READ permission on the template. If it is
absent, try to manually add this ACE and check how it works.

Hope it helps.

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Eli · May 13, 2008

I donÃ¢â‚¬â„¢t get any error itÃ¢â‚¬â„¢s just that template that I created is not listed
in the list.
I do a right click on Ã¢â‚¬Å“certificate templatesÃ¢â‚¬Â then new Ã¢â‚¬Å“certificate template
to issue
According to the manual, I have to see the template that I created, but itÃ¢â‚¬â„¢s
not there.
I found one reason that I had Ã¢â‚¬Å“standardÃ¢â‚¬Â version of windows, I did an
upgrade to enterprise.
Same thing, I then deleted it and recreated. Same thing, itsÃ¢â‚¬â„¢ not appearing.

"Miles Li [MSFT]" wrote:

> Hello,
>
> Thanks for your post.
>
> I'd like to know whether you receive the error message such as "The
> template information on the CA cannot be modified at this time". If yes,
> please verify the security on the certificate template whether the
> Authenticated users has the READ permission on the template. If it is
> absent, try to manually add this ACE and check how it works.
>
> Hope it helps.
>
>
> Sincerely,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Eli · May 14, 2008

Ok, the above problem got fixed by reinstalling server from scratch.
It does appear now and I can enable it.
Now I have the problem with the second part:
At these link:
http://technet.microsoft.com/en-us/library...BKMK_siteserver

At this section Ã¢â‚¬Å“Requesting the Site Server Signing Certificate for the
Server That Will Run the Configuration Manager 2007 Site Server
To request the site server signing certificate: Ã¢â‚¬Å“
#5 advanced certificate requestÃ¢â‚¬â€there is no template that I made in
enterprise.
My steps are:
http://server/certsrv
Request a certificate, then advanced certificate, then create and submit a
request to this CA.
When I click on that link, I get
Ã¢â‚¬Å“In order to complete certificate enrollment, the website for the CA must be
configured to use HTTPS authentication.Ã¢â‚¬Â
I click OK, and then look in the certificate template, and I donÃ¢â‚¬â„¢tÃ¢â‚¬â„¢ see it
again.

"Miles Li [MSFT]" wrote:

> Hello,
>
> Thanks for your post.
>
> I'd like to know whether you receive the error message such as "The
> template information on the CA cannot be modified at this time". If yes,
> please verify the security on the certificate template whether the
> Authenticated users has the READ permission on the template. If it is
> absent, try to manually add this ACE and check how it works.
>
> Hope it helps.
>
>
> Sincerely,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Miles Li [MSFT] · May 15, 2008

Hello,

I am sorry that I have made a lapse in my previous reply.

From my understanding, you have enabled the signing certificate template
(you can view the enabled template in the CA MMC Certificate Template),
However, when you want to enroll a certificate via web enrollment you can't
find that specific template in the list. Please feel free to correct me if
there is any misunderstandings.

Please check the security on that template according to the following step:

1. Run "certtmpl.msc" in the commend prompt to open template manager.

2. Right click the signing certificate template--->properties--->Security.
Check whether the user account that perform the web enrollment request on
the member server has both READ and ENROLL permission.

Note: By default, Domain admins and Enterprise admins groups have the both
READ and ENROLL permission. This means if you submit the request by a
non-admin user account (standard user account) the template will not shown
in the list for the user has no ENROLL permission. (by default, the
Authenticated Users have the READ permission that is inherited from the
Computer Template)

Meanwhile, please also note that you may experience latency before the
template list gets updated.

281260 A Certificate Request That Uses a New Template Is
Unsuccessful
http://support.microsoft.com/default.aspx?...kbEN-US281260

Hope it helps.

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Eli · May 16, 2008

Permissions were checked-everything is in order, plus IÃ¢â‚¬â„¢m using a default
Ã¢â‚¬Å“administratorÃ¢â‚¬Â account which is part of all admin groups.
I visited the link that you provided, edited the registry but no changes.
As fas as replication itÃ¢â‚¬â„¢s been more than a day.

"Miles Li [MSFT]" wrote:

>
> Hello,
>
> I am sorry that I have made a lapse in my previous reply.
>
> From my understanding, you have enabled the signing certificate template
> (you can view the enabled template in the CA MMC Certificate Template),
> However, when you want to enroll a certificate via web enrollment you can't
> find that specific template in the list. Please feel free to correct me if
> there is any misunderstandings.
>
> Please check the security on that template according to the following step:
>
> 1. Run "certtmpl.msc" in the commend prompt to open template manager.
>
> 2. Right click the signing certificate template--->properties--->Security.
> Check whether the user account that perform the web enrollment request on
> the member server has both READ and ENROLL permission.
>
> Note: By default, Domain admins and Enterprise admins groups have the both
> READ and ENROLL permission. This means if you submit the request by a
> non-admin user account (standard user account) the template will not shown
> in the list for the user has no ENROLL permission. (by default, the
> Authenticated Users have the READ permission that is inherited from the
> Computer Template)
>
> Meanwhile, please also note that you may experience latency before the
> template list gets updated.
>
> 281260 A Certificate Request That Uses a New Template Is
> Unsuccessful
> http://support.microsoft.com/default.aspx?...kbEN-US281260
>
> Hope it helps.
>
>
> Sincerely,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Miles Li [MSFT] · May 19, 2008

Hello,

Thanks for keep working on it.

Please help to verify the following settings:

1. Verify the template is in the Certificate Authority--->CA
name--->certificate templates and is prepared to issue. And the certificate
template has the "Publish certificates in Active Directory" option checked.

2. Will other templates duplicated be shown in the web enrollment?

3. Which templates are displayed in the web enrollment certificate template
list?

4. Does it work if you open the web page on the domain controller or the CA
server?

5. Could you please describe the topology of your domain in detail? Is it
a multi-site domain?

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Nils · May 19, 2008

When you duplicated the Computer template, did you select "Windows Server
2008, Enterprise Edition" as supported platform? In my experience, doing that
will prevent the template from showing up in the web page. When you select
"Windows Server 2003, Enterprise Edition" the template -will- show up.

Eli · May 19, 2008

I did select 2003

"Nils" wrote:

> When you duplicated the Computer template, did you select "Windows Server
> 2008, Enterprise Edition" as supported platform? In my experience, doing that
> will prevent the template from showing up in the web page. When you select
> "Windows Server 2003, Enterprise Edition" the template -will- show up.

Miles Li [MSFT] · May 23, 2008

Hello,

I am just writing in to see if you have obtained the opportunity to collect
the information. If anything is unclear with the previous information I've
provided to you, please don't hesitate to let me know.

I appreciate your time and look forward to hearing from you.

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Creating Site Server Signing Certificate Template

Eli

Miles Li [MSFT]

Eli

Eli

Miles Li [MSFT]

Eli

Miles Li [MSFT]

Nils

Eli

Miles Li [MSFT]