1

On a Windows 2008 R2, with an AD level of Windows 2008 R2 We need to create a cert to allow user/admin to enroll via the Web service page (https://CA/certsrv/)

On CA, right-click Certificate template and select manage In the certificate template, we've created a duplicate of an existing cert, and configured it with a new name
- The cert has domain computer with read/enroll permission
- Supply in the request is selected
I ran certutil -setCAtemplates to add it to the cert template

On the web service page https://CA/certsrv > Request a certificate > Advanced certificate request > Create and submit a request to this CA, we only see a short list of certificate template

Does anyone have idea to how to publish a cert to be shown on the web page? What step am I missing here

Lex
  • 564
  • 1
  • 6
  • 16

1 Answers1

6

The two most common problems I see with this are either permissions related or template version related.

The user logged into the certsrv site needs to have both Read and Enroll permissions on the certificate template. If they don't, it won't show up in the list of available templates.

Also when duplicating the template, you were likely asked what version to make it and given an option of "Windows Server 2003" or "Windows Server 2008". The certsrv web site is only compatible with the Windows Server 2003 based templates which I think corresponds to version 2. Ironically, this same limitation is present all the way through Windows Server 2012 R2. The certsrv site still can't use version 3 templates. Here's the related KB article as you found:

Version 3 (CNG) Templates Will Not Appear in Windows Server 2008 or Windows Server 2008 R2 Certificate Web Enrollment

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
  • Thank you for your answer. Mine had the required permissions on it (read/enroll). I did see a pattern that only pre-2003 were listed. I've used the same process to duplicate another cert to validate my steps and set it to 2003 instead of 2008, and it did showed up. My issue with the certsrv site not show my certificate was infact related to version3 as you have suggested. I wouldn't have thought to look at compatibility without your answer. TY https://support.microsoft.com/en-us/kb/2015796 – Lex May 31 '16 at 18:43
  • Man I knew there was a KB article for it. I just couldn't find it the when I looked. They should reallly update it to apply to 2012 and 2012 R2 as well. – Ryan Bolger May 31 '16 at 20:15
  • Having read several articles on this problem using Windows Server 2008 R2 (this is in a lab), stumbled upon this answer - my problem was the same - had to create a new template based on compatibility with "Windows Server 2003" and then it showed up in the certsrv site. +1 – T-Heron Sep 06 '22 at 00:45