Guest Han Valk Posted September 20, 2008 Posted September 20, 2008 Is this template hard coded in Certificate Services? When I duplicate and customize this template and make it available the CA (W2k3 ent root CA) doesn't pick it up. Permissions on the template are read and enroll for the CA's machine account. Regards, Han Valk. Quote
Guest Paul Adare - MVP Posted September 20, 2008 Posted September 20, 2008 On Sat, 20 Sep 2008 10:18:59 +0200, Han Valk wrote: <span style="color:blue"> > Is this template hard coded in Certificate Services? When I duplicate > and customize this template and make it available the CA (W2k3 ent > root CA) doesn't pick it up. Permissions on the template are read and > enroll for the CA's machine account. > > Regards, > Han Valk.</span> Why do you feel you need to create a custom template for this in the first place? -- Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Conversational mode: Describes the typical office the day after a major sporting event. Quote
Guest Han Valk Posted September 25, 2008 Posted September 25, 2008 Sorry for my late reaction, I've been very busy. I have been thaught that it is a best practise to leave the default templates alone and create duplicates to customize. How about an answer to my original question? On Sat, 20 Sep 2008 05:25:15 -0400, Paul Adare - MVP <pkadare@gmail.com> wrote: <span style="color:blue"> >On Sat, 20 Sep 2008 10:18:59 +0200, Han Valk wrote: ><span style="color:green"> >> Is this template hard coded in Certificate Services? When I duplicate >> and customize this template and make it available the CA (W2k3 ent >> root CA) doesn't pick it up. Permissions on the template are read and >> enroll for the CA's machine account. >> >> Regards, >> Han Valk.</span> > >Why do you feel you need to create a custom template for this in the first >place?</span> Quote
Guest Paul Adare - MVP Posted September 25, 2008 Posted September 25, 2008 On Thu, 25 Sep 2008 11:15:40 +0200, Han Valk wrote: <span style="color:blue"> > Sorry for my late reaction, I've been very busy. I have been thaught > that it is a best practise to leave the default templates alone and > create duplicates to customize.</span> No, that is not always a best practice. For example, if you want to be able to use the IIS Wizard to request Web Server certificates you must use the default Web Server template. <span style="color:blue"> > > How about an answer to my original question?</span> As far as I know, you can't use a custom CA Exchange certificate template and there really isn't any compelling reason to do so. -- Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca One person's error is another person's data. Quote
Guest Han Valk Posted September 25, 2008 Posted September 25, 2008 And that's my problem with MS PKI. Its documentation is far from complete. I own the MS Press book on this subject and even that book does not contain all the answers. On Thu, 25 Sep 2008 05:33:08 -0400, Paul Adare - MVP <pkadare@gmail.com> wrote: <span style="color:blue"> >On Thu, 25 Sep 2008 11:15:40 +0200, Han Valk wrote: ><span style="color:green"> >> Sorry for my late reaction, I've been very busy. I have been thaught >> that it is a best practise to leave the default templates alone and >> create duplicates to customize.</span> > >No, that is not always a best practice. For example, if you want to be able >to use the IIS Wizard to request Web Server certificates you must use the >default Web Server template. ><span style="color:green"> >> >> How about an answer to my original question?</span> > >As far as I know, you can't use a custom CA Exchange certificate template >and there really isn't any compelling reason to do so.</span> Quote
Guest Han Valk Posted September 25, 2008 Posted September 25, 2008 It _should_ be best practise for all templates but Certtificate Server doesn't allow it. On Thu, 25 Sep 2008 05:33:08 -0400, Paul Adare - MVP <pkadare@gmail.com> wrote: <span style="color:blue"> >On Thu, 25 Sep 2008 11:15:40 +0200, Han Valk wrote: ><span style="color:green"> >> Sorry for my late reaction, I've been very busy. I have been thaught >> that it is a best practise to leave the default templates alone and >> create duplicates to customize.</span> > >No, that is not always a best practice. For example, if you want to be able >to use the IIS Wizard to request Web Server certificates you must use the >default Web Server template. ><span style="color:green"> >> >> How about an answer to my original question?</span> > >As far as I know, you can't use a custom CA Exchange certificate template >and there really isn't any compelling reason to do so.</span> Quote
Guest Paul Adare - MVP Posted September 25, 2008 Posted September 25, 2008 On Thu, 25 Sep 2008 15:28:31 +0200, Han Valk wrote: <span style="color:blue"> > It _should_ be best practise for all templates but Certtificate Server > doesn't allow it.</span> No it shouldn't be a best practice, there's no real need for it at all. -- Paul Adare MVP - Identity Lifecycle Manager http://www.identit.ca Daddy, what does "Formatting Drive C:" mean? Quote
Guest Brian Komar \(MVP\) Posted September 25, 2008 Posted September 25, 2008 Han, Pretty aggressive statement. and entirely incorrect. It is not Certificate Server that requires the use of specific templates, it is the application that consumes the certificates. Paul brought up the case where IIS is hard coded to require the Web Server certificate template. Your assertation that this is not documented though is incorrect. You really did not put much effort into your search, as the first response from Google is this article. 1. http://technet.microsoft.com/en-us/library/cc780041.aspx As stated in this article, section titled CA Exchange Certificate Generation discusses how the CA exchange certificate is generated, what happens if the CA exchange certificate is not available, and how to enforce that the CA exchange certificate is used. Next time, quit whining and arguing when we provide you with an answer. If you do not like the answer, send an email to mswish @microsoft.com and ask for the functionality you desire. Next time, do some real research before you get up on your soapbox. Brian "Han Valk" <han.valk@somewhere.invalid> wrote in message news:tc4nd4pcdbt4e6btbkft7bsl4f7v9mso95@4ax.com...<span style="color:blue"> > It _should_ be best practise for all templates but Certtificate Server > doesn't allow it. ></span> <snip> Quote
Guest Han Valk Posted September 29, 2008 Posted September 29, 2008 Sorry but I disagree. Thanks for your help anyway. On Thu, 25 Sep 2008 09:49:45 -0400, Paul Adare - MVP <pkadare@gmail.com> wrote: <span style="color:blue"> >On Thu, 25 Sep 2008 15:28:31 +0200, Han Valk wrote: ><span style="color:green"> >> It _should_ be best practise for all templates but Certtificate Server >> doesn't allow it.</span> > >No it shouldn't be a best practice, there's no real need for it at all.</span> Quote
Guest Han Valk Posted September 29, 2008 Posted September 29, 2008 Brian, Let me start by saying that it was never my intention to agitate anybody. It's just that not all that MS makes is great and I can mention several things about Certificate Server that are not documented. And yes I have done my research and I was aware of that TechNet article. Would you please be so kind and tell where in the article it says that that I can not use a duplicate of the the CAExchange template? That I must use the original? So it's not Certificate Server but an other application that demands the use of original CAExchange template? Han. On Thu, 25 Sep 2008 08:58:21 -0500, "Brian Komar \(MVP\)" <brian.komar@nospam.identit.ca> wrote: <span style="color:blue"> >Han, >Pretty aggressive statement. and entirely incorrect. > >It is not Certificate Server that requires the use of specific templates, it >is the application that consumes the certificates. Paul brought up the case >where IIS is hard coded to require the Web Server certificate template. > >Your assertation that this is not documented though is incorrect. You really >did not put much effort into your search, as the first response from Google >is this article. > >1. http://technet.microsoft.com/en-us/library/cc780041.aspx >As stated in this article, section titled CA Exchange Certificate Generation >discusses how the CA exchange certificate is generated, what happens if the >CA exchange certificate is not available, and how to enforce that the CA >exchange certificate is used. > >Next time, quit whining and arguing when we provide you with an answer. If >you do not like the answer, send an email to mswish @microsoft.com and ask >for the functionality you desire. > >Next time, do some real research before you get up on your soapbox. >Brian > > >"Han Valk" <han.valk@somewhere.invalid> wrote in message >news:tc4nd4pcdbt4e6btbkft7bsl4f7v9mso95@4ax.com...<span style="color:green"> >> It _should_ be best practise for all templates but Certtificate Server >> doesn't allow it. >></span> ><snip> </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.