On a Windows 2008 R2, with an AD level of Windows 2008 R2
We need to create a cert to allow user/admin to enroll via the Web service page (https://CA/certsrv/)
On CA, right-click Certificate template and select manage
In the certificate template, we've created a duplicate of an existing cert, and configured it with a new name
– The cert has domain computer with read/enroll permission
– Supply in the request is selected
I ran certutil -setCAtemplates to add it to the cert template
On the web service page https://CA/certsrv > Request a certificate > Advanced certificate request > Create and submit a request to this CA, we only see a short list of certificate template
Does anyone have idea to how to publish a cert to be shown on the web page?
What step am I missing here
Best Answer
The two most common problems I see with this are either permissions related or template version related.
The user logged into the certsrv site needs to have both
ReadandEnrollpermissions on the certificate template. If they don't, it won't show up in the list of available templates.Also when duplicating the template, you were likely asked what version to make it and given an option of "Windows Server 2003" or "Windows Server 2008". The certsrv web site is only compatible with the Windows Server 2003 based templates which I think corresponds to version 2. Ironically, this same limitation is present all the way through Windows Server 2012 R2. The certsrv site still can't use version 3 templates. Here's the related KB article as you found:
Version 3 (CNG) Templates Will Not Appear in Windows Server 2008 or Windows Server 2008 R2 Certificate Web Enrollment