I recently hit a brick wall while trying to update a certificate template in my stand-alone Server 2016 Certificate Authority.

My goal was to add the “Client Authentication” policy to the the Web Server template, but whilst I could create the new template without any problems, Windows wouldn’t let me add it to the list of “certificates to issue”.

Copying Templates

The process to copy a certificate template is fairly well documented. The short version is:

1. Launch the Certificate Authority MMC:
   
2. Right-click Certificate Templates and select Manage, which opens the “Certificate Templates Console”.
3. Right-click on the certificate you want to copy and select Duplicate Template.
   
4. Make the required changes to this template, including of course giving it a new name on the General tab:
   
5. OK to save.
6. Close the Certificate Templates Console.
7. Revert to the Certificate Authority MMC.
8. Right-click Certificate Templates and select New / Certificate Template to Issue:
   
9. On the Enable Certificate Templates dialog, click the new template and… Hang on: it’s not there!
   

Much Googling revealed a range of suggested fixes. Most of those centred on permissions on the Security tab, with a few suggesting changes to the Compatibility and Subject Name tabs, but none of them worked.

It took me ages to stumble on it (and months passed in between attempts at resolving this) but in the end it was something as simple as using certutil to do what the GUI wouldn’t:

PS C:\> certutil -setcatemplates +WebServerwithClientAuth
0: WebServerwithClientAuth: Adding
CertUtil: -SetCATemplates command completed successfully.
PS C:\>

BAM!

(Note in the above you need to use the template’s “Template Name” (see the image in Step 4).

It’s now visible in the Certificate Authority MMC:
 


… and also the web enrolment page:
 

Credit

If found the fix in Vadims Podāns’ Certificate Autoenrollment in Windows Server 2016 (part 3).

Revision History

12th September 2020. This is the initial publication.

 
– G.