Installing vCenter5.1 certificates is really tedious and
confusing process at least first time even though VMware and Derek Seaman very
well documented.
While working on updating VMware SSL certificates, I had an
issue while submitting a certificate request from the AD Certificate services webpage. Certificate template was missing
from the drop-down list. It’s due to the permissions issue on a specific template.
As part of the process updated by Derek Seaman in step 10 and VMware documentation steps 6 in "Getting the certificate " section, when submitting the CSR request, need to select the template name. The issue was, I was not able to find my certificate template (VMware-SSL) which I have created in previous steps. I was not sure what permissions required in order to see the template name. After some research, I realised that I need to assign relevant permissions to the user who is trying to submit the CSR request as follows.
As part of the process updated by Derek Seaman in step 10 and VMware documentation steps 6 in "Getting the certificate " section, when submitting the CSR request, need to select the template name. The issue was, I was not able to find my certificate template (VMware-SSL) which I have created in previous steps. I was not sure what permissions required in order to see the template name. After some research, I realised that I need to assign relevant permissions to the user who is trying to submit the CSR request as follows.
1
Access Microsoft CA certificate authority Web interface. It is generally
http://servername/CertSrv/.
2
Select “Request a certificate” - advanced certificate request
- Submit a certificate request by using a base-64-encoded CMC or PKCS #10
file, or submit a renewal request by using a base-64-encoded PKCS #7 file then
you see the following screen. You can see it’s not showing template name to select. It’s due to a lack of permission to the user.
3
To fix the problem, go to “manage templates”
4
Select appropriate template name and navigate to properties
5
Go to the “Security” tab, select user name and provide Read, Write, Enroll
and Auto-enroll permissions
6
Restart the CA services as per below screenshot
7
Try to submit the certificate request now, you should be able to see
template
 |
Please share on social media if you found this post
helpful. If you have a comment or question, please post and add your voice to
the conversation.
hey , made
ReplyDeletechange but i sill cant se it :(
Thanks for reply. I have tried this fix couple of time to make sure that permissions are the problem. I believe you restarted services.
ReplyDeleteIt should work or it could be some other problem.
Thanks,
All these post failed to mention is MS Active directory Certification services are based on the AD Domain forest level. So if your forest level is 2003, then you cannot use a 2008 and up custom templates in ADCS Web services. Most people having this issue is because the CA Custom template is 2008 and above. Try Duplicating your Template in certificate template console, the first question when duplicating the template is to choose 2003 or 2008.
ReplyDeleteChoose 2003, then go into the Certification Authorities MMC (certsrv.msc) and there then right-click the Certificate Templates folder and issue the template that you just created. Now go to your ADCS web site and you should be able to see you custom template now. I know what about the 2008 Templates... Your AD forest level will need to be raised to 2008 R2 for the ADCS web to show the newer 2008 Custom Templates. Good Luck my hard earned .2 cents. I hope this helps someone out there because it took me weeks to figure this out.
Carlos Rodriguez
Caro1008@hotmail.com
This 100% helped me. Thanks! The other thing I found elsewhere was the change thumbprint to all caps and to do a certutil -repairstore my
DeleteThank you Carlos for your valuable input and hope it helps the community.
ReplyDeleteCheers!!
My problem is I am trying to create the certificate request on Server 2012. It has been promoted to a DC in an existing domain. Existing domain is SBS2008 domain with Exchange 2007 SP2.
ReplyDeleteThe SBS box is operating at the highest functional level 2008 domain and forest. It has had domain prep and forest prep run against it as there is a secondary DC running Server 2008 with Exchange 2010. Otherwise the issue I have is exactly the same as described. I cannot see webserver. I can open the AD CS console and enable certificate templates but not sure which one I should select as there is no web server template.
Thanks VirtualCloudz. This was very helpful. Worked for me
ReplyDeleteHere's another reason why it might not appear. Go to the Subject Name tab in the template's properties. If "Build from this Active Directory information" is selected, switch it to "Supply in the request."
ReplyDeleteThx, this was a reason why i didnt see the template name :)
DeleteIt worked like a charm- Tx!
ReplyDeleteBTW in my case it worked out of the box for Domain built-in administrator account. We have to do this for delegated admins etc.
Thanks Carlos & virtualcoulds. you make my day a little bit easier :-)
ReplyDeleteNice Blog Post !
ReplyDeleteJust tried applying it on my SBS server but I do not have the security option for "AuoEnroll". I did everything else to the letter but it didn't seem to work.
ReplyDeleteAnother reason it might not show up is that you have to use IE due to active scripting. Also, you will want to put the website into the Intranet zone list if it doesn't show up automatically. One clue is that you should not be prompted to login when going to https://pkiserver/certsrv, if you then make sure to add it to the Intranet zone line and enable active scripting.
ReplyDeleteThanks for the help. The post worked for my environment with Windows Server 2012
ReplyDelete