Setup Server 2019 Enterprise CA 5/5: Deploy Policy Templates

Previous: Setup Group Policy

 

After Setting up an Enterprise CA some Certificate policies are available without additional configuration. In this post I will demonstrate how to add Certificate Template and publish it.

Deploy Policy Templates

 

1. On the Subordinate CA start the “Certification Authority” and select “Certificate Templates”. In the right pane all the out of the box templates are visible. These can be requested by Users, Computers, etc depending on the type.

 

2. To add a new template rightclick “Certificat Templates” and select “Manage”

 

3. An overview with all available templates will appear.

 

4. To avoid editing the original template Rightclick the template and select “Duplicate Template”

 

5. Give the new template a unique name and press “OK”

 

6. Rightclick “Certificat Templates” and select “New” -> “Certificate Template to Issue”

 

7. Select in the “Enable Certificate Templates” list the template which was created and press “OK”

 

8. The certificate is now visible in the “Certificate Templates” Pane

 

Test the certificate

9. Logon to a domain joined computer. Start “MMC” and select “file” -> “Add/Remove Snap-in”.

 

10. Select the “Certificates” snap-in and press “Add”.

 

11. Select “My user account” in the Certificates snap-in popup and press “Finish”. Press “OK” to close the snap-in manager. (Only select “my user account” for user templates, for computer related templates select “Computer account”)

 

12. Rightclick “Personal” and select “All Tasks” -> “Request New Certificate”

 

13. Press “Next”

 

14. Press “Next” (by default “Active Directory Enrollment Policy” is selected)

 

15. In the “Request Certificates” overview all available user related policy templates are displayed. The created template should appear. Check the box of the created template and press “Enroll”

 

16. The template will be requested. After a while the status should be “Succeeded”. Press “Finish” to continue.

 

17. The new certificate is now visible.

 

18. When you doubleclick the Certificate and select “Certification Path” you should see the RootCA, SubordinateCA and requested Certificate. All Certificates should be “OK”

 

This was the final post of the Setup Server 2019 Enterprise CA tutorial.

Add a comment if you have questions.

 

 

4 thoughts on “Setup Server 2019 Enterprise CA 5/5: Deploy Policy Templates

  1. Shawn C.

    I am having an issue with the new template no showing up when requesting a new certificate. It shows the default 4 templates , but not showing the new CA templates. If I choose for it to ‘SHOW ALL TEMPLATES” by checking that option. I see all of the templates, but they all say unavailable and have a red X

    Reply
    1. Aad Lutgert Post author

      Hi Shawn,

      How did you open the certificate console (step 11). Some certificates need to be requested by the computer account (select computer account) and other by a user account (select user account). There is also a possibility you do not have permissions to enroll the certificate. Then you need to check the Security tab of the new template (see step 5).

      best regards,

      Aad Lutgert

      Reply
  2. Edwin Flores

    First let me say that its been a really good guide for PKI.
    I get to the point where I am configuring the templates, so I configured a couple of templates, following duplicate as you said. when I go New>Certificate Template to Issue, so they show up as available. the new Templates are not part of the list I choose. it says that I should wait for replication, but nothing works. any idea?
    also you didnt mention anything about the configuration the IIS needs for the web enrollment service to work ( https)

    Reply
    1. Aad Lutgert Post author

      Hi Edwin,

      Thanks for visiting the website. I’m not familiar with the issue you describe. Did you check the logging on client where you request the certificate and did you check if the Certificate server is accessible from your client?

      You are correct about the web enrollment service, it’s not included in this guide. I will try to add this part later.

      best regards,

      Aad Lutgert

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *