How to re-install the default certificate templates?
When you launch the certificate templates MMC snap-in (certtmpl.msc) for the first time, the certificate templates are installed automatically in the background. Installing the templates is independent of the availability of an enterprise CA. Enterprise Administrator permissions are required to successfully install the templates.
That's nice and convenient but what happens if you accidentally deleted the template objects from Active Directory? The templates can be viewed and also deleted (with appropriate permissions) through the Active Directory Sites and Services MMC snap-in (dssites.msc) or any other LDAP client can be used.
So, what to do if the templates or the OID container have disappeared? With a single command-line, you can get them back. As prerequisite to install the certificate templates you must have create child access to the template container in Active Directory which is the default setting for an enterprise administrator.
If you are running Windows Server 2003, use the following command with enterprise administrator permissions:
regsvr32 /i:i /n certcli.dll
If you have Windows Vista or Windows Server 2008 already in place, certutil.exe understands a new verb to re-install the templates. Certutil is included in all Windows Vista SKUs by default.
certutil -installdefaulttemplates
After performing one of the above commands you must restart the CA service.
The following two knowledgebase articles describe scenarios where re-installation of certificate templates can make sense:
- You receive an error message, and event ID 53 is logged when a client computer requests a certificate from a Windows Server 2003 SP1-based CA (https://support.microsoft.com/kb/932457).
- Event ID 77 is logged in the Application log when the CertSvc service starts on a CA server that is running Windows Server 2003 with Service Pack 1 (https://support.microsoft.com/kb/931354).
Comments
Anonymous
June 08, 2010
Certificates make it easy for the small business employer to produce a professional-looking award to present to a deserving employee.Anonymous
November 24, 2010
certutil -installdefaulttemplates does not require restart of the certsvc service since it simply does a population of objects into the Certificate Templates container. Furthermore, It does not have to be executed on the CA itself since it is just creating objects within Active Directory, the CA itself is not affected by this in any way. A CA doesn’t need to restart the certsvc service when new templates are created in Active Directory... ;)