Guest Gunna Posted July 3, 2008 Posted July 3, 2008 I have a problem where I seem to add a template into the Certificate Templates folder on my Root CA but it doesnt show up on the web enrollment server. I have a theory that this might be becuase the Root CA is an Enterprise CA and the issuing server running web enrollment is a standalone CA. Setup this way for "security" reasons and i was lucky to inherit. Is this the reason? if so how do i get those templates copied over to the web enrollment server? Quote
Guest Brian Komar \(MVP\) Posted July 4, 2008 Posted July 4, 2008 If you are connecting to the issuing CA, then the Web Enrollment will only show the certificates available at that CA. A standalone CA does not use certificate templates, hence you do not see any when you connect. On a different front, your CA infrastructure is pretty screwed up. Traditionally, the root would be an offline CA (based on a standalone CA). The issuing CA would be a subordinate enterprise CA. Brian "Gunna" <Gunna@discussions.microsoft.com> wrote in message news:0D57522A-AD34-407E-92C4-7A70D5185BA6@microsoft.com...<span style="color:blue"> >I have a problem where I seem to add a template into the Certificate > Templates folder on my Root CA but it doesnt show up on the web enrollment > server. I have a theory that this might be becuase the Root CA is an > Enterprise CA and the issuing server running web enrollment is a > standalone > CA. Setup this way for "security" reasons and i was lucky to inherit. Is > this the reason? if so how do i get those templates copied over to the > web > enrollment server? </span> Quote
Guest Gunna Posted July 4, 2008 Posted July 4, 2008 Brian, Thanks for the reply. yes your are right it is screwed up. But I must correct myself. Like I said I inherited it and was told thats how it is. However after digging out some doco I found that the Root CA is a standalone after all. Is there a way I can look at the console and tell this or not? Further to that I found that the CA running web enrollment is an Enterprise and as a result you can see the Certificates tempates in the MMC. The problem is when I add a new template to publish it just doesnt appear in the Web enrollment form. Quote
Guest Gunna Posted July 4, 2008 Posted July 4, 2008 Hold the phone Brian, I just tried something and got a strange result. Here are the templates I have in the MMC: Web Server Web Server Certificate SSL Certificate RAS and IAS Server EFS Recovery Agent Subordinate Certification Authority Now if I go into Webenrollment and click Request a Certificate it goes straight into the "Advanced Certificate Request" page where I can: Create and Submit and request Submit a certificate request by using base-64- blah blah Request a certificate for a smart card blah blah I click the "Create and Submit and request" and the only template option I have is the SSL Certificate. Now If I add a new template like a Basic EFS then Basic EFS and SSL are now available. If I go to "Submit a certificate request by using base-64- blah blah" again only SSL and Basic EFS are availabel templates Why aren't the others available? "Gunna" wrote: <span style="color:blue"> > Brian, > > Thanks for the reply. yes your are right it is screwed up. But I must > correct myself. Like I said I inherited it and was told thats how it is. > However after digging out some doco I found that the Root CA is a standalone > after all. Is there a way I can look at the console and tell this or not? > > Further to that I found that the CA running web enrollment is an Enterprise > and as a result you can see the Certificates tempates in the MMC. The > problem is when I add a new template to publish it just doesnt appear in the > Web enrollment form. > > </span> Quote
Guest Brian Komar \(MVP\) Posted July 5, 2008 Posted July 5, 2008 The other certificates are for computer certificates, and will not appear in the Web form When you request from the Web portal, the request is performed in the user's context, not the computer's. The only certificates that will appear are the certificates intended for users or certificates where the subject name is provided in the request (requiring user intervention) So the RAS and IAS Server and SubCA certificates would require using the Certificates MMC console focused on the local machine to request the certificates Brian "Gunna" <Gunna@discussions.microsoft.com> wrote in message news:FABFC48C-2490-4BC5-8FFE-6BA08BC4DE33@microsoft.com...<span style="color:blue"> > Hold the phone Brian, > > I just tried something and got a strange result. Here are the templates I > have in the MMC: > Web Server > Web Server Certificate > SSL Certificate > RAS and IAS Server > EFS Recovery Agent > Subordinate Certification Authority > > Now if I go into Webenrollment and click Request a Certificate it goes > straight into the "Advanced Certificate Request" page where I can: > Create and Submit and request > Submit a certificate request by using base-64- blah blah > Request a certificate for a smart card blah blah > > I click the "Create and Submit and request" and the only template option I > have is the SSL Certificate. Now If I add a new template like a Basic EFS > then Basic EFS and SSL are now available. > > If I go to "Submit a certificate request by using base-64- blah blah" > again > only SSL and Basic EFS are availabel templates > > Why aren't the others available? > > > "Gunna" wrote: ><span style="color:green"> >> Brian, >> >> Thanks for the reply. yes your are right it is screwed up. But I must >> correct myself. Like I said I inherited it and was told thats how it is. >> However after digging out some doco I found that the Root CA is a >> standalone >> after all. Is there a way I can look at the console and tell this or >> not? >> >> Further to that I found that the CA running web enrollment is an >> Enterprise >> and as a result you can see the Certificates tempates in the MMC. The >> problem is when I add a new template to publish it just doesnt appear in >> the >> Web enrollment form. >> >> </span></span> Quote
Guest Gunna Posted July 10, 2008 Posted July 10, 2008 Brian, Makes sense thanks. Whats the best way to determine if a cert is for a user or computer? Also do you know if there is a spot i can look to see if a CA is a Standalone or a Enterprise CA? Thanks. "Brian Komar (MVP)" wrote: <span style="color:blue"> > The other certificates are for computer certificates, and will not appear in > the Web form > When you request from the Web portal, the request is performed in the user's > context, not the computer's. > The only certificates that will appear are the certificates intended for > users or certificates where the subject name is provided in the request > (requiring user intervention) > So the RAS and IAS Server and SubCA certificates would require using the > Certificates MMC console focused on the local machine to request the > certificates > > Brian > > "Gunna" <Gunna@discussions.microsoft.com> wrote in message > news:FABFC48C-2490-4BC5-8FFE-6BA08BC4DE33@microsoft.com...<span style="color:green"> > > Hold the phone Brian, > > > > I just tried something and got a strange result. Here are the templates I > > have in the MMC: > > Web Server > > Web Server Certificate > > SSL Certificate > > RAS and IAS Server > > EFS Recovery Agent > > Subordinate Certification Authority > > > > Now if I go into Webenrollment and click Request a Certificate it goes > > straight into the "Advanced Certificate Request" page where I can: > > Create and Submit and request > > Submit a certificate request by using base-64- blah blah > > Request a certificate for a smart card blah blah > > > > I click the "Create and Submit and request" and the only template option I > > have is the SSL Certificate. Now If I add a new template like a Basic EFS > > then Basic EFS and SSL are now available. > > > > If I go to "Submit a certificate request by using base-64- blah blah" > > again > > only SSL and Basic EFS are availabel templates > > > > Why aren't the others available? > > > > > > "Gunna" wrote: > ><span style="color:darkred"> > >> Brian, > >> > >> Thanks for the reply. yes your are right it is screwed up. But I must > >> correct myself. Like I said I inherited it and was told thats how it is. > >> However after digging out some doco I found that the Root CA is a > >> standalone > >> after all. Is there a way I can look at the console and tell this or > >> not? > >> > >> Further to that I found that the CA running web enrollment is an > >> Enterprise > >> and as a result you can see the Certificates tempates in the MMC. The > >> problem is when I add a new template to publish it just doesnt appear in > >> the > >> Web enrollment form. > >> > >> </span></span> > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.