Publishing a certificate template to allow enrollment

One of the most common certificate troubleshooting tasks I encounter is figuring out why a particular certificate template is not available when the user or computer tries to request a certificate. Having created a new certificate template does not necessarily mean that you are ready to start issuing certificates based on that template. We also need to publish our new template so that the CA server knows that it is ready to publish out to computers and users. There is also a security section of the template properties, where you need to define who or what has access to request certificates based on that template. In this recipe, we will find those settings and configure our new certificate template so that any domain joined workstation is allowed to request a certificate from our new template.

Getting ready

We are going to use the Windows Server 2016 machine that is our Enterprise Root CA.

How to do it…

In order to issue certificates based on a particular template, we need to take steps to publish and adjust the security properties of that template:

  1. Launch the Certification Authority management tool from inside Server Manager.
  2. Expand the name of your CA server in the left-hand tree.
  3. Right-click on Certificate Templates and navigate to New | Certificate Template to Issue.

    How to do it…

  4. Select your new template from the list and click on OK.
  5. Now right-click on Certificate Templates and choose Manage.
  6. Find the template that you want to modify. For our recipe, we are modifying the new template called IPsec Certificate.
  7. Right-click on the template and choose Properties.
  8. Browse to the Security tab.
  9. Now we need to set up permissions according to your requirements. For our particular example, we want to issue IPsec certificates to all domain joined computers so that they can later be used during IPsec negotiations inside our network. Therefore, in our permissions, we add Domain Computers and we check the box to allow Enroll permissions.

    How to do it…

How it works…

A new certificate template doesn't do us any good without a couple of extra steps to publish that template. We need to walk through the process of specifying our new template to be issued, which is a simple option to accomplish but one that isn't immediately obvious inside the CA management console. Also, we need to make sure that the permissions we have set on our certificate template line up with the purpose for which our certificate is intended. If your user accounts are going to be requesting certificates, then you will have to add users or user groups and grant them enroll permissions. If computer accounts are going to be the ones making the requests, then make sure that the appropriate groups are entered in there with enrolling rights as well.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.18.145