Partilhar via


Certificate Templates Troubleshooting

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting

What problem are you having?

  • The Certificate Templates Microsoft Management Console (MMC) does not list any templates after prompting to install new certificate templates.

  • Certificates are not being issued to clients.

  • Certificates are issued to subjects, but cryptographic operations with those certificates fail.

  • Domain controllers are not obtaining a domain controller certificate.

  • Clients are unable to obtain certificates via autoenrollment.

  • Names of certificate templates in the snap-in are inconsistent between views or windows.

  • The private key cannot be exported from smart card certificates, even whenAllow private key to be exportedis selected in the certificate template.

  • The certificate template is modified, but some certification authorities (CAs) still have the unmodified version.

  • The private key is not being archived even though I selected theArchive subject's encryption private keyoption and configured the CA to require key recovery.

  • Autoenrollment is prompting me to renew a certificate that isn't mine, and I have certificates in my private certificate store that I didn't put there.

The Certificate Templates Microsoft Management Console (MMC) does not list any templates after prompting to install new certificate templates.

Cause:  The certificate templates have not yet replicated to the certification authority (CA) that the computer is connected to. This replication is part of Active Directory replication.

Solution:  Wait for the certificate templates to replicate and then reopen the Certificate Templates MMC.

Certificates are not being issued to clients.

Cause:  The certification authority (CA) issuing certificate has a shorter remaining lifetime than the template overlap period configured for the request certificate template. This means the issued certificate would be immediately eligible for reenrollment. Instead of issuing and endlessly renewing this certificate the certificate request is not processed.

Solution:  Renew the issuing certificate used by the CA.

Certificates are issued to subjects, but cryptographic operations with those certificates fail.

Cause:  Cryptographic service provider does not match Key Usage settings.

Solution:  Confirm that you set the cryptographic service provider in the template to one that supports the type of cryptographic operation that the certificate will be used for.

See also:  Key type and cryptographic service provider type; Modify a Certificate Template

Domain controllers are not obtaining a domain controller certificate.

Cause:  Autoenrollment is turned off by way of Group Policy on domain controllers. Domain controllers obtain their certificates through autoenrollment.

Solution:  Enable autoenrollment for domain controllers.

See also:  Modify a Certificate Template

Cause:  The default Automatic Certificate Request setting for Domain Controllers has been removed from the Default Domain Controllers Policy.

Solution:  Create a new Automatic Certificate Request in the Default Domain Controllers Policy for the Domain Controller certificate template.

See also:  Automatic certificate request settings

Clients are unable to obtain certificates via autoenrollement.

Cause:  Security permissions must be set to allow intended subjects to both enroll and autoenroll on the certificate template. Both permissions are required to enable autoenrollment.

Solution:  Modify the access control list on the certificate template to grant Read, Enroll and Autoenroll permissions for the subjects that you want.

See also:  Allow subjects to request a certificate that is based on the template

Names of certificate templates in the snap-in are inconsistent between views or windows.

Cause:  Active Directory Sites and Services is being used to view the certificate templates. This tool may not provide as accurate a display as Certificate Templates.

Solution:  Use the Certificate Templates snap-in to administer certificate templates.

See also:  Modify a Certificate Template

The private key cannot be exported from smart card certificates, even when Allow private key to be exported is selected in the certificate template.

Cause:  Smart cards do not allow private keys to be exported once they are written to the smart card.

Solution:  None

See also:  Smart Cards

The certificate template is modified, but some certification authorities (CAs) still have the unmodified version.

Cause:  Certificate templates are replicated between CAs with the Active Directory replication process. Because this replication is not instantaneous, there may be a short delay before the new version of the template is available on all CAs.

Solution:  Wait until the modified template is replicated to all CAs. To display the certificate templates that are available on the CA, use the Certutil.exe command.

See also:  Understanding Sites and Replication and Certutil.

The private key is not being archived even though I selected the Archive subject's encryption private key option and configured the CA to require key recovery.

Cause:  Private keys will not be archived when the key usage for the certificate template is set to Signature. This is because the digital signature usage requires the key to not be recoverable.

Solution:  None

See also:  Establishing key options and key archival and Key archival and recovery.

Autoenrollment is prompting me to renew a certificate that isn't mine, and I have certificates in my private certificate store that I didn't put there.

Cause:  When using the smart card enrollment station on the administrator's computer to renew or change the certificate stored on the smart card, the certificate from the smart card is copied to the administrator's private certificate store. This certificate may be processed by autoenrollment and prompt you to begin the renewal process.

Solution:  Click Start to begin the autoenrollment renewal process. Because the certificate is not yours, the autoenrollment process will disappear at that point. If you want to remove the certificates from your private store, they can be deleted manually.

See also:  Delete a certificate.