Guest Eli Posted May 13, 2008 Posted May 13, 2008 Windows 2008 I’m trying to create a certificate by following directions from here: http://technet.microsoft.com/en-us/library...BKMK_siteserver Creating and Issuing the Site Server Signing Certificate Template on the Certification Authority On #15, I ran into problem, my server is standard edition; I did an upgrade to enterprise over standard (without reinstalling OS) #15 In the Enable Certificate Templates dialog box, select the new template you have just created, ConfigMgr Site Server Signing Certificate, and then click OK. I don’t see the certificate template that I just created even after upgrading to enterprise and redoing the template. Any ideas/suggestions? Quote
Guest Miles Li [MSFT] Posted May 13, 2008 Posted May 13, 2008 Hello, Thanks for your post. I'd like to know whether you receive the error message such as "The template information on the CA cannot be modified at this time". If yes, please verify the security on the certificate template whether the Authenticated users has the READ permission on the template. If it is absent, try to manually add this ACE and check how it works. Hope it helps. Sincerely, Miles Li Microsoft Online Partner Support Microsoft Global Technical Support Center Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Quote
Guest Eli Posted May 13, 2008 Posted May 13, 2008 I don’t get any error it’s just that template that I created is not listed in the list. I do a right click on “certificate templates†then new “certificate template to issue According to the manual, I have to see the template that I created, but it’s not there. I found one reason that I had “standard†version of windows, I did an upgrade to enterprise. Same thing, I then deleted it and recreated. Same thing, its’ not appearing. "Miles Li [MSFT]" wrote: <span style="color:blue"> > Hello, > > Thanks for your post. > > I'd like to know whether you receive the error message such as "The > template information on the CA cannot be modified at this time". If yes, > please verify the security on the certificate template whether the > Authenticated users has the READ permission on the template. If it is > absent, try to manually add this ACE and check how it works. > > Hope it helps. > > > Sincerely, > Miles Li > > Microsoft Online Partner Support > Microsoft Global Technical Support Center > > Get Secure! - www.microsoft.com/security > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > </span> Quote
Guest Eli Posted May 14, 2008 Posted May 14, 2008 Ok, the above problem got fixed by reinstalling server from scratch. It does appear now and I can enable it. Now I have the problem with the second part: At these link: http://technet.microsoft.com/en-us/library...BKMK_siteserver At this section “Requesting the Site Server Signing Certificate for the Server That Will Run the Configuration Manager 2007 Site Server To request the site server signing certificate: “ #5 advanced certificate requestâ€â€there is no template that I made in enterprise. My steps are: http://server/certsrv Request a certificate, then advanced certificate, then create and submit a request to this CA. When I click on that link, I get “In order to complete certificate enrollment, the website for the CA must be configured to use HTTPS authentication.†I click OK, and then look in the certificate template, and I don’t’ see it again. "Miles Li [MSFT]" wrote: <span style="color:blue"> > Hello, > > Thanks for your post. > > I'd like to know whether you receive the error message such as "The > template information on the CA cannot be modified at this time". If yes, > please verify the security on the certificate template whether the > Authenticated users has the READ permission on the template. If it is > absent, try to manually add this ACE and check how it works. > > Hope it helps. > > > Sincerely, > Miles Li > > Microsoft Online Partner Support > Microsoft Global Technical Support Center > > Get Secure! - www.microsoft.com/security > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > </span> Quote
Guest Miles Li [MSFT] Posted May 16, 2008 Posted May 16, 2008 Hello, I am sorry that I have made a lapse in my previous reply. From my understanding, you have enabled the signing certificate template (you can view the enabled template in the CA MMC Certificate Template), However, when you want to enroll a certificate via web enrollment you can't find that specific template in the list. Please feel free to correct me if there is any misunderstandings. Please check the security on that template according to the following step: 1. Run "certtmpl.msc" in the commend prompt to open template manager. 2. Right click the signing certificate template--->properties--->Security. Check whether the user account that perform the web enrollment request on the member server has both READ and ENROLL permission. Note: By default, Domain admins and Enterprise admins groups have the both READ and ENROLL permission. This means if you submit the request by a non-admin user account (standard user account) the template will not shown in the list for the user has no ENROLL permission. (by default, the Authenticated Users have the READ permission that is inherited from the Computer Template) Meanwhile, please also note that you may experience latency before the template list gets updated. 281260 A Certificate Request That Uses a New Template Is Unsuccessful http://support.microsoft.com/default.aspx?...kb;EN-US;281260 Hope it helps. Sincerely, Miles Li Microsoft Online Partner Support Microsoft Global Technical Support Center Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Quote
Guest Eli Posted May 16, 2008 Posted May 16, 2008 Permissions were checked-everything is in order, plus I’m using a default “administrator†account which is part of all admin groups. I visited the link that you provided, edited the registry but no changes. As fas as replication it’s been more than a day. "Miles Li [MSFT]" wrote: <span style="color:blue"> > > Hello, > > I am sorry that I have made a lapse in my previous reply. > > From my understanding, you have enabled the signing certificate template > (you can view the enabled template in the CA MMC Certificate Template), > However, when you want to enroll a certificate via web enrollment you can't > find that specific template in the list. Please feel free to correct me if > there is any misunderstandings. > > Please check the security on that template according to the following step: > > 1. Run "certtmpl.msc" in the commend prompt to open template manager. > > 2. Right click the signing certificate template--->properties--->Security. > Check whether the user account that perform the web enrollment request on > the member server has both READ and ENROLL permission. > > Note: By default, Domain admins and Enterprise admins groups have the both > READ and ENROLL permission. This means if you submit the request by a > non-admin user account (standard user account) the template will not shown > in the list for the user has no ENROLL permission. (by default, the > Authenticated Users have the READ permission that is inherited from the > Computer Template) > > Meanwhile, please also note that you may experience latency before the > template list gets updated. > > 281260 A Certificate Request That Uses a New Template Is > Unsuccessful > http://support.microsoft.com/default.aspx?...kb;EN-US;281260 > > Hope it helps. > > > Sincerely, > Miles Li > > Microsoft Online Partner Support > Microsoft Global Technical Support Center > > Get Secure! - www.microsoft.com/security > ===================================================== > When responding to posts, please "Reply to Group" via your newsreader so > that others may learn and benefit from your issue. > ===================================================== > This posting is provided "AS IS" with no warranties, and confers no rights. > > </span> Quote
Guest Miles Li [MSFT] Posted May 19, 2008 Posted May 19, 2008 Hello, Thanks for keep working on it. Please help to verify the following settings: 1. Verify the template is in the Certificate Authority--->CA name--->certificate templates and is prepared to issue. And the certificate template has the "Publish certificates in Active Directory" option checked. 2. Will other templates duplicated be shown in the web enrollment? 3. Which templates are displayed in the web enrollment certificate template list? 4. Does it work if you open the web page on the domain controller or the CA server? 5. Could you please describe the topology of your domain in detail? Is it a multi-site domain? Sincerely, Miles Li Microsoft Online Partner Support Microsoft Global Technical Support Center Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Quote
Guest Nils Posted May 19, 2008 Posted May 19, 2008 When you duplicated the Computer template, did you select "Windows Server 2008, Enterprise Edition" as supported platform? In my experience, doing that will prevent the template from showing up in the web page. When you select "Windows Server 2003, Enterprise Edition" the template -will- show up. Quote
Guest Eli Posted May 19, 2008 Posted May 19, 2008 I did select 2003 "Nils" wrote: <span style="color:blue"> > When you duplicated the Computer template, did you select "Windows Server > 2008, Enterprise Edition" as supported platform? In my experience, doing that > will prevent the template from showing up in the web page. When you select > "Windows Server 2003, Enterprise Edition" the template -will- show up.</span> Quote
Guest Miles Li [MSFT] Posted May 23, 2008 Posted May 23, 2008 Hello, I am just writing in to see if you have obtained the opportunity to collect the information. If anything is unclear with the previous information I've provided to you, please don't hesitate to let me know. I appreciate your time and look forward to hearing from you. Sincerely, Miles Li Microsoft Online Partner Support Microsoft Global Technical Support Center Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.