Publishing a certificate template to allow enrolment

One of the most common certificate troubleshooting issues that's encountered is figuring out why a particular certificate template is not available when the user or computer tries to request a certificate. Having created a new certificate template does not necessarily mean that you are ready to start issuing certificates based on that template. We also need to publish our new template so that the CA server knows that it is ready to publish to computers and users. There is also a security section of the template properties, where you need to define who or what has access to request certificates based on that template. In this recipe, we will find those settings and configure our new certificate template so that any domain-joined workstation can request a certificate from our new template.

Getting ready

We are going to use a Windows 10 machine to manage a Windows Server 2019 Certificate Authority.

How to do it…

In order to issue certificates based on a particular template, we need to take some steps to publish and adjust the security properties of that template:

1. Launch the Certification Authority management console from inside Server Manager or from the Start menu.
2. If you receive an error message stating 1060 ERROR_SERVICE_DOES_NOT_EXIST, that's OK – we just need to add the CA server. Right-click Certification Authority (local) and choose Retarget Certification Authority…. Select Another Computer and enter the server name of your root CA. It may take a minute to connect.
3. Expand the name of your CA server in the left-hand tree.
4. Right-click on Certificate Templates and navigate to New | Certificate Template to Issue:
   

   Figure 4.16 – Adding a new certificate template to Issue

5. Select your new template from the list and click on OK.

   The CA is now able to issue this certificate, but we have not configured any permissions or rules about who or what can use this certificate. So, let's continue and define some rules.

6. Now, right-click on Certificate Templates and choose Manage.
7. Find the template that you want to modify. For our recipe, we are modifying the new template called IPsec Certificate.
8. Right-click on the template and choose Properties.
9. Browse to the Security tab.
10. Now, we need to set up permissions according to our requirements. For our example, we want to issue IPsec certificates to all domain-joined computers so that they can later be used during IPsec negotiations inside our network. Therefore, in our permissions, we add Domain Computers and we check the box to allow Enroll permissions:

Figure 4.17 – Configuring the Enroll permissions for Domain Computers for a certificate template

How it works…

A new certificate template doesn't do us any good without us fulfilling a couple of extra steps to publish that template. We need to walk through the process of specifying our new template to be issued, which is a simple option to accomplish but one that isn't immediately obvious inside the CA management console. Also, we need to make sure that the permissions we have set on our certificate template line up with the purpose that our certificate is intended for. If your user accounts are going to be requesting certificates, then you will have to add users or user groups and grant them enroll permissions. If computer accounts are going to be the ones making the requests, then make sure that the appropriate groups are entered in there with enrolling rights as well.