I recently hit a brick wall while trying to update a certificate template in my stand-alone Server 2016 Certificate Authority.
My goal was to add the “Client Authentication” policy to the the Web Server template, but whilst I could create the new template without any problems, Windows wouldn’t let me add it to the list of “certificates to issue”.
Copying Templates
The process to copy a certificate template is fairly well documented. The short version is:
- Launch the Certificate Authority MMC:
- Right-click Certificate Templates and select Manage, which opens the “Certificate Templates Console”.
- Right-click on the certificate you want to copy and select Duplicate Template.
- Make the required changes to this template, including of course giving it a new name on the General tab:
- OK to save.
- Close the Certificate Templates Console.
- Revert to the Certificate Authority MMC.
- Right-click Certificate Templates and select New / Certificate Template to Issue:
- On the Enable Certificate Templates dialog, click the new template and… Hang on: it’s not there!
Much Googling revealed a range of suggested fixes. Most of those centred on permissions on the Security tab, with a few suggesting changes to the Compatibility and Subject Name tabs, but none of them worked.
It took me ages to stumble on it (and months passed in between attempts at resolving this) but in the end it was something as simple as using certutil to do what the GUI wouldn’t:
PS C:\> certutil -setcatemplates +WebServerwithClientAuth 0: WebServerwithClientAuth: Adding CertUtil: -SetCATemplates command completed successfully. PS C:\>
BAM!
(Note in the above you need to use the template’s “Template Name” (see the image in Step 4).
It’s now visible in the Certificate Authority MMC:
… and also the web enrolment page:
Credit
If found the fix in Vadims Podāns’ Certificate Autoenrollment in Windows Server 2016 (part 3).
Revision History
12th September 2020. This is the initial publication.
– G.
Having a very similar problem. Being that the symptoms are identical but none of your proposed solutions are working. There used to be a seperate CA on the network, but that server has been long decommissioned. I can’t help but think that there isa reference to the old server somewhere that is preventing the Certificate Template from being recognized.
I verified that the Server is an Enterprise Root via regedit:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\\CAType = 0