cannot create new certificate template to issue

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

i'm running server 2003, my own root CA, logged on as domain admin. in the
certificate templates management MMC i create a duplicate certificate, on the
general tab i checked to publish in AD,on the request handling tab i checked
archive private key, allow key to be exported, and enroll without user input,
on subject name tab- build from AD, use common name, and include e-mail
address, on security tab i allowed authenticated users read,enroll, and
autoenroll. back in template manager cert shows up as autoenroll is allowed.
but when i go back to the CA MMC and go to new certificate template to issue,
the new template doesn't show up. the CA computer did get a new cert to allow
for private key recovery. i have waited a day for AD to replicate even though
this is a single site domain.
 
are you running windows server 2003 enterprise edition on the CA?

http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx



Windows Server 2003 certificate templates whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
 
yes, thats correct

David Cross said:
are you running windows server 2003 enterprise edition on the CA?

http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx



Windows Server 2003 certificate templates whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

bill said:
i'm running server 2003, my own root CA, logged on as domain admin. in the
certificate templates management MMC i create a duplicate certificate, on
the
general tab i checked to publish in AD,on the request handling tab i
checked
archive private key, allow key to be exported, and enroll without user
input,
on subject name tab- build from AD, use common name, and include e-mail
address, on security tab i allowed authenticated users read,enroll, and
autoenroll. back in template manager cert shows up as autoenroll is
allowed.
but when i go back to the CA MMC and go to new certificate template to
issue,
the new template doesn't show up. the CA computer did get a new cert to
allow
for private key recovery. i have waited a day for AD to replicate even
though
this is a single site domain.
Click to expand...
Click to expand...
 
scratch that, i just realized that the CA computer is 2003 standard. i'm in
the process of re configuring the entire domain anyway ( not much faith in
the whole domain rename with exchange process) so will i be ok using this
2003 standard edition as an offline standalone root and the subordinate CA on
enterprise edition?

David Cross said:
are you running windows server 2003 enterprise edition on the CA?

http://www.microsoft.com/technet/prodtechnol/winxppro/plan/pkienh.mspx



Windows Server 2003 certificate templates whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx


--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.

Top Whitepapers:

Auto-enrollment whitepaper:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
Best Practices for implementing Windows Server 2003 PKI:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
Troubleshooting Certificate Status and Revocation whitepaper:
http://www.microsoft.com/technet/security/topics/crypto/tshtcrl.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
Windows Server 2003 web enrollment and troubleshooting guide:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx

bill said:
i'm running server 2003, my own root CA, logged on as domain admin. in the
certificate templates management MMC i create a duplicate certificate, on
the
general tab i checked to publish in AD,on the request handling tab i
checked
archive private key, allow key to be exported, and enroll without user
input,
on subject name tab- build from AD, use common name, and include e-mail
address, on security tab i allowed authenticated users read,enroll, and
autoenroll. back in template manager cert shows up as autoenroll is
allowed.
but when i go back to the CA MMC and go to new certificate template to
issue,
the new template doesn't show up. the CA computer did get a new cert to
allow
for private key recovery. i have waited a day for AD to replicate even
though
this is a single site domain.
Click to expand...
Click to expand...
 
circa Sun, 5 Dec 2004 17:05:04 -0800, in
microsoft.public.win2000.security, =?Utf-8?B?YmlsbA==?=
([email protected]) said,
scratch that, i just realized that the CA computer is 2003 standard. i'm in
the process of re configuring the entire domain anyway ( not much faith in
the whole domain rename with exchange process)
Click to expand...

Unless something has changed since I last checked, you can't have
enterprise CAs installed on DCs while you're doing a domain rename.
Will this affect your strategy?
so will i be ok using this
2003 standard edition as an offline standalone root and the subordinate CA on
enterprise edition?
Click to expand...

Yes, that will work.

Laura
 
thank you to you and dave, i'm one exam from my mcse on 2003 and i had never
heard of the restriction on version 2 templates. i tried a domain rename in a
test lab and i was disheartened by the results, so i now have 2 domains and i
will be migrating my users instead of renaming the old domain. then i will
scrap the old CA and make it the standalone root, then configure one of my
DC's to be the issuing CA. I'm currently an ASE certified master auto
technician and i think i will be the only ASE certified and MCSE in the
country??
 
Back
Top