Win 2000 Certificate Services "computer" template not accessable from web enrollment


G

Greg Lague

I have setup the Windows CA and it is working just fine except for one
thing. I need to use certificates for two-way authentication for computers
and servers on the network and so, I need to use the computer template via
the web enrollment. When I point a browser to the CertSrv and request a new
advanced certificate there are a few options available, (Administrator, EFS,
User, Domain Controller, etc..) but no computer. I have followed directions
from MS technet on how to change the security and access to the templates
but they change nothing in the view when I go to enroll.

I have setup the CA using MS Enhanced Crypto and not just the Base. The
server is the domain controller (Active Directory) and DNS. I have read
everything MS has on their web site and googled this to death.. still no
answer. Maybe someone in this group can help.


thanks in advance,
Greg
 
Ad

Advertisements

P

Paul Adare - MVP - Microsoft Virtual PC

@twister01.bloor.is.net.cable.rogers.com>, in the
microsoft.public.win2000.security news group, Greg Lague
I have setup the CA using MS Enhanced Crypto and not just the Base. The
server is the domain controller (Active Directory) and DNS. I have read
everything MS has on their web site and googled this to death.. still no
answer. Maybe someone in this group can help.

There are a couple of reasons that this template does not show up on the
web page. First off, it is a template for computers and not users, and
when you use the web page for enrollment, you are using the security
context of the logged in user. Secondly, this template requires the CA
to fill in the subject name, which since you're accessing the web page
via the user's security context, this can't be done.

You have a couple of options here:

1. Use the Certificate MMC to request the certificate.
2. Use autenrollment.
3. Copy the template and in the new template, change the settings to
allow the subject to be submitted with the request. Then, on the web
page, fill in the subject and check the local system box on the web
page.
 
Ad

Advertisements

G

Greg Lague

Thanks a bunch. I used option 1, VIA the MMC to place the cert on the
computer. That's ok, but you don't have access to options when you do that
like Export Keys.. which I also need. Option 3 is not possible with 2000 but
I believe with 2003.

I appreciate your reply.
Greg
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top