1

I am trying to create a custom certificate template based off of the Smartcard User template with a Windows Server 2008 Enterprise subordinate CA. I am using the subordinate CA because the root CA is not on the domain. Here are my steps so far:

  1. I duplicated the Smartcard User template for the new template I'm trying to create
  2. I set the appropriate validity period and CSP

I figure this is all I should need to do as my organization does not use issuance policies or anything. However, when I try to enroll a cert on behalf of a user, the template does not show up. When the "Show all templates" box is checked, the template appears with the following error message: "The requested property value is empty. You do not have permission to view this type of certificate."

I have looked through the Microsoft libraries and googled for information on this error, however it does not appear to be well-documented. Any input would be greatly appreciated. Thank you!

nedwards86
  • 63
  • 1
  • 1
  • 7

2 Answers2

3

I managed to figure it out! Because my company does not use issuance policies, there was nothing for the certificate to resolve to. So, to fix this, I changed the template from using issuance policies to using application policies.

To do this, open the properties of the certificate template.

Click the "Issuance Requirements" tab.

In the "Policy type required in signature:" dropdown, select "Application policy".

Next, in the "Application policy:" dropdown, select "Certificate Request Agent". This gives you the permissions to use that template.

Simply import the template onto the CA and you're done.

nedwards86
  • 63
  • 1
  • 1
  • 7
1

You need to set security on the template to allow it to be used by you. By default templates aren't usable. You do this from the Certificate Manager on the Sub-CA.

On the server running the CA:

  • Open the Certificate Authority MMC.
  • Browse to the Certificate Templates.
  • Right-click on Templates and select 'Manage'.
  • This opens up a new MMC.
  • Find the certificate that ypu copied.
  • Right click on it and select Properties.
  • Go to the Security tab.
  • Ensure that whatever user (or computer) you're using to request certificates is in this list.

That should allow the template to be visible to you.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
  • Thank you for the reply. Unfortunately, even after granting myself and the system permission over the template, I am still unable to use it. The error message is the same. – nedwards86 Oct 08 '10 at 16:58