Windows 2003 Domain – Certificate Authority – New Automatic Certificate Request

active-directorycertificatecertificate-authoritywindows-server-2003

I have an issue with a certificate authority in a windows 2003 domain. We need one configured to allow ssl/tls encrypted traffic over LDAP so that our Application Gateway server is able to allow users to change domain passwords.

I do not have a lot of knowledge on certificates and the server functions of a CA.

We have had a CA setup on a domain server that is not a domain controller. This appears to be fine. However, when trying to add a new Automatic Certificate Request under the Public Key Policies section, I get strange results.

When carrying out this action I choose the Domain Controller Certificate template and hit next I get the following screen:

alt text http://www.evilmunky.com/cafail.png

I would actually expect to be able to choose the CA server at this point. Clicking finsh, closes the wizard and there are no more options to choose from. Can anyone suggest some diagnostic steps I can take?

Best Answer

The templates you see in the Automatic Setup are determined by the security settings on the Certificate Templates on your CA server(s). Most computers can only get the Computer certificate because of how the security defaults. Another option open to you is to use the Certificate MMC to request it on the DC itself.

  1. Start -> Run -> MMC
  2. Add the "Certificates" snap-in, for the Computer Account
  3. Open the "Personal" store
  4. Right click on "Certificates" and go to All Tasks -> Request New Certificate
  5. This will give you a short list. On a DC it should have a "Domain Controller" option Pick it.
  6. Go through the wizard

You should get a Domain certificate that'll be used for LDAPS.

However, if you DO NOT have an Enterprise CA you won't have some of these templates. A "Standalone CA" doesn't have the same features as the above. I don't have a lot of experience with those so I can't guide you.

Related Topic