1

I have the problem that I cannot issue self-made certificate templates in the certificate authority, i.e. in the certificate authority, right click to certificate templates and select certificate template to issue. My templates do not appear.

Situation (with some chronological changes):

  • 1 forest; 2 domains (A.local and B.local)
  • 1 main-ca (root-ca) und 2 sub-ca (sub-ca1 and sub-ca2)
  • Main-ca: installed on domain-controller of A.local
  • Sub-ca1: installed on domain-controller of B.local

  • Sub-ca2: issued only certificate for sub-ca2: sub-ca is a linux-based ca.

  • Upgraded from Win2008R2 to Win2019 -> exported CA from dc_A_2008R to dc_A_2019

  • sub-ca1 was removed from domain controller and B.local was removed  only A.local remaining
  • Replication to all DCs of domain A

  • Revoked all certificated issued to domain B.local and also revoked certificate for sub-ca1

  • Root-ca is working for computer certificates (enrolled by GPO)

  • Root-ca is working for web-based (using browser) certificate requests like webservers.
  • Root-ca is working for user certificates

Remark: After the movement of the certificate authority to the new DCdc_a_2019 I also updated the Certificate Revocation List Distribution Point.

So, after googling I found the following issues which could be the reason for the problem:

  • Wait for replication such that all templates are replicated to all DCs -> this is done
  • B.local is cleanly removed from the schema, PDC …
  • Remove sub-ca1 in manually in AD sites and services (this I also did)

Errors in Event log:

  • The request was for a certificate template that is not supported by the Active Directory Certificate Services policy (0x80094800).
  • The Online Responder Service could not locate a signing certificate for configuration.

An additional remark: I cannot add the OSCP-Responder as template neither.

Any ideas how to solve. How to debug?

pallago
  • 165
  • 6
  • What are the security ACE's permissions on the template? – Greg Askew Apr 18 '20 at 14:20
  • The security permissions are "Read", "Write", "Register" for Domain-Admins and Oragnization-Admins. Furthermore, the dc_A_2019 has the permission to "read" and "register". Actually, when I moved the CA, I first moved it and uninstalled it afterwards from the dc_A_2008R. When both domains were existing, the problem I described above did not appear. Therefore, I think it is not due to permissions. But thanks for the suggestion. – pallago Apr 18 '20 at 15:02
  • Moreover, the "Authenticated Users" group has the "read", "write" and "register" permissions. – pallago Apr 18 '20 at 15:41

1 Answers1

1

Okay, I found the problem and solution here: https://securitymusings.com/article/1733/cant-create-a-new-certificate-template-to-issue

In case the link will not work in future:

  1. Open the ADSIEdit.msc
  2. Right click on ADSI Editor - Connect
  3. Under connection point select Configuration and OK
  4. Navigate to CN=Configuration | CN=Services | CN=Public Key Services | CN=Enrollment Services
  5. Right click on the Attribute and select properties
  6. Select the flags - if it is 2 then update it to 10
  7. Replicate between the DCs (use Active Directory Sites for manual replication)
  8. Restart the Certificate Authority (Right click - Tasks - Stop - Start)
pallago
  • 165
  • 6