One of the most common certificate troubleshooting tasks I encounter is figuring out why a particular certificate template is not available when the user or computer tries to request a certificate. Having created a new certificate template does not necessarily mean that you are ready to start issuing certificates based on that template. We also need to publish our new template so that the CA server knows that it is ready to publish out to computers and users. There is also a security section of the template properties, where you need to define who or what has access to request certificates based on that template. In this recipe, we will find those settings and configure our new certificate template so that any domain joined workstation is allowed to request a certificate from our new template.
In order to issue certificates based on a particular template, we need to take steps to publish and adjust the security properties of that template:
IPsec Certificate
.
A new certificate template doesn't do us any good without a couple of extra steps to publish that template. We need to walk through the process of specifying our new template to be issued, which is a simple option to accomplish but one that isn't immediately obvious inside the CA management console. Also, we need to make sure that the permissions we have set on our certificate template line up with the purpose for which our certificate is intended. If your user accounts are going to be requesting certificates, then you will have to add users or user groups and grant them enroll permissions. If computer accounts are going to be the ones making the requests, then make sure that the appropriate groups are entered in there with enrolling rights as well.
18.221.18.145