How do I make MS Enterprise Certificate Authority actually use a custom template?

1k views Asked by At

I'm working on setting up a three tier PKI on a test network. We have 5 virtual machines running on a VMWare host: A clone of an operational domain controller, a stand alone root CA (not a member of the domain), a stand alone intermediate CA (member of the domain), a subordinate 'issuing' Enterprise CA, and a web server to host the CRLs and with an OCSP responder installed but not yet configured. All of the CAs and the web server are running server 2012 R2, web server is running IIS 8

I've created a copy of the web server certificate template following the instructions at: https://technet.microsoft.com/en-us/library/ee649187(v=ws.10).aspx and it shows up in the "Certificate Templates" container on the Certificate Authority snap in. However, when I go to manage IIS and select "Create Domain Certificate" it still uses the old "web server" template. If I remove the old template from the certificate templates container I get an error: "The certificate request was submitted to the online authority, but was not issued. The request was denied." Looking on the CA snap in I see a failed request that is trying to use the old web server template.

How do I make it use the new template?

1

There are 1 answers

0
Peter_V On

FWIW, it appears that I can't do what I want. I've come across a couple articles on the web that indicate that IIS is hardcoded to only use the template called "Webserver"

I ended up solving my problem by requesting the new certificate using the "certificate" snap-in.