Web Certificate enrollment with Windows 2003 server

[Judith]

Hello, maby someone can help me resolve this problem.
With windows 2000 server I can enroll any certificate
template (by " http://server ip/certsrv")to any CSP
installed.

With Windows 2003 server I can web enroll only some
certificate template. Most of certificates can be enrolled
only to Microsoft CSP. But if I use MMC it makes it
possible to enroll it to any CSP installed.
For example, Enrollment Agent certificate can only be
enrolled to Microsoft CSP. All other CSPs are in the list
but in a gray disabled colored.

Do you know where I can change it? what parameter in the
GPO must be changed to enable it?
Thanks in advanced
Judith

 

[krish shenoy[MS]]

The MMC enrollment enumerates the CSPs on the client machine whereas the Web
enrollment enumerates the
CSPs on the Web Server. If you want to add CSPs that a template can use for
enrollment then you can do it in the certificate template snapin .Select the
enrollment agent template ->Request Handling -> CSPs tab and check the
desired CSP
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"

 

[Judith Dvash]

Hello Krish,

Thanks you very much for your answer.
I have done as you indicated, going to MMC,
opening "Certificate Template" Snapin,
Selecting "Enrollment Agent" template Properties,
Selecting "Request Handing / CSP " Tab.
Here all other CSPs except Microsoft are in Gray color
and are disabled. Inpossible to check or uncheck.
I'm on Server Windows 2003
Below is the original message and your answer.
Best Regards
Judith Dvash
eToken Support engineer
Aladdin

 

[judith.dvash]

Hi,
I manage to duplicate my enrollment Agent certificate and
under Request Handling / CSP I've added my own CSP.
The only problem I got now is that the newly created
template appears in the "Active Directory Sites and
Services" in the list of certificate template but
does not appear in the list of "Certificate Authority /
Certificate template"
and I cannot see it in the "New certificate template to
issue" even if I ask to "Publish my template in the Active
Directory".
The result is that the certificate is not proposed when
user is enrolling certificate by the web.
Do you have any idea?
Judith

 

[judith]

Hello krish,

I thank you a lot for your help. I managed to make one
step ahead but I have a new problem.

Windows 2003 with a CA enterprise installed.
I have duplicated the "Enrollment Agent" template and in
the Request Handling of the new template-2 I've chosen a
new CSP.

Now my new template appears in the list of certificate
templates in the "Active directory Sites and services".
But it does not appear in the Certificate template of
the "CA enterprise" and when I choose to issue a new
certificate it is still not listed.
When I choose to manage certificate I can see it.
When web enrolling certificates it is not listed.
I can web enroll the original certificate of "Enrollment
Agent".
I have full access rights on the new template.
What can I do to have this certificate on the list od
issued template to enroll.

Judith

..
Best Regards,

Judith Dvash
eToken International Customer
Support Engineer

 

[request]

opening "Certificate Template" Snapin, Selecting "Enrollment Agent" template Properties,
I don't find "Request Handing / CSP " Tab

 

[request]

when we use the web based smartcard enrollment station in Windows server 2003 standard version and Xp , our csp is not selectable. in the list of csp's only Gemplus ,Infinion and Schlumberger