Friday, April 16, 2010

Windows Server 2008 R2 CA: SCOM Certificate template not listed

Based on a previous posting about creating a SCOM Certificate template I got a comment that a CA based on Windows Server 2008 R2 does not list the template, even when the whole procedure as stated in the same posting was followed to the end.

So time for a follow up.

As we all know is Windows Server 2008 R2 far more locked down then Windows Server 2008 (SP1). As a result, many things work a bit different. The same goes for a CA based on Windows Server 2008 R2.

When a SCOM Certificate template is created and added to the CA as well, it will not be shown in the list of the available templates:
image

The security of the template needs some adjustment. In order to get it working as fast as possible, follow this procedure:

Step 1: Remove the SCOM Certificate template from the CA.

  1. Go to Start > type MMC <enter> > File > Add/Remove Snap-in > select Certificate Templates and Certification Authority (local computer) > OK.

  2. Go to Certification Authority (Local) > [server name of local CA] > Certificate Templates. Select the SCOM Certificate > right click it and select Delete.
    image
    Click Yes.
    The SCOM Certificate is now deleted from the local CA, but still present as a Certificate Template within the Certificate Templates Store.

Step 2: Changing the Security settings of the SCOM Certificate template.

  1. Go to Certificate Templates (server name) and double click the SCOM Certificate template.

  2. Got to the tab Security
    image
    click Add > click Object Types and checkmark Computers.
    image
    Click OK.

  3. In this screen, type the name of the CA where also the web interface for the CA is run from. In this case, SV01.
    image
    Click Check Names > OK.

  4. Select the server and select as permissions Read and Enroll.
    image
    Click Apply > OK.

Step 3: Rapidly publishing the SCOM Certificate template.

  1. In the MMC, go to Certification Authority > collapse this node  > click with right mouse button on Certificate Templates > New > Certificate Template To Issue.
    image
    Select the new template (SCOM Certificate) and click OK.

  2. Open a cmd-prompt and type: gpudate /force. Wait for it to end.
    image 

Step 4: Testing it.

  1. Open IE, go to the web interface of the CA (http://localhost/certsrv) > Request a Certificate > advanced certificate request > Create and submit a request to this CA > under the header Certificate Template: > open the drop down box:
    image
    Now all is well! :)

1 comment:

Dustin said...

Hi, thanks for the tip, however, this did not work for me. You DID put me on the correct path though.

I added Anonymous Login and Everyone with the same perms (enroll and read).

Now my custom template is showing up. Again, THANKS for leading me down the right path!