Cannot see “Certificate Template” while requesting certificate - VMware SSL install

Installing vCenter5.1 certificates is really tedious and confusing process at least first time even though VMware and Derek Seaman very well documented.

While working on updating VMware SSL certificates, I had an issue while submitting certificate request from the AD Certificate services webpage. Certificate template was missing from the drop down list. It’s due to the permissions issue on specific template.

As part of the process updated by Derek Seaman in step 10 and VMware documentation steps 6 in "Getting the certificate " section, when submitting the CSR request, need to select template name. Issue was, I was not able to find my certificate template (VMware-SSL) which I have created in previous steps. I was not sure what permissions required in order to see the template name. After some research I realised that I need to assign relevant permissions to the user who is trying to submit CSR request as follows.
1         Access Microsoft CA certificate authority Web interface. It is generally http://servername/CertSrv/.
2         Select “Request a certificate” - advanced certificate request - Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file then you see following screen. You can see it’s not showing template name to select. It’s due to lack of permission to user.

Microsoft Directory Certificate Service- VMware SSL certificate install
3         To fix the problem, go to “manage templates”
Microsoft Directory Certificate Service - manage Templates
4         Select appropriate template name and navigate to properties

Microsoft Directory Certificate Service - manage Templates

5         Go to “Security” tab, select user name and provide Read, Write, Enroll and Auto-enroll permissions

Microsoft Directory Certificate Service - manage Templates
6         Restart the CA services as per below screenshot
Windows 2008 Microsoft Directory Certificate Service - Service stop and start
7         Try to submit the certificate request now, you should be able to see template
Submit a certificate Request or Renewal Request
Please share on social media if you found this post helpful. If you have a comment or question, please post and add your voice to the conversation.

9 comments:

  1. hey , made
    change but i sill cant se it :(

    ReplyDelete
  2. Thanks for reply. I have tried this fix couple of time to make sure that permissions are the problem. I believe you restarted services.

    It should work or it could be some other problem.

    Thanks,

    ReplyDelete
  3. Carlos Rodriguez2 July 2015 at 02:09

    All these post failed to mention is MS Active directory Certification services are based on the AD Domain forest level. So if your forest level is 2003, then you cannot use a 2008 and up custom templates in ADCS Web services. Most people having this issue is because the CA Custom template is 2008 and above. Try Duplicating your Template in certificate template console, the first question when duplicating the template is to choose 2003 or 2008. 

    Choose 2003, then go into the Certification Authorities MMC (certsrv.msc) and there then right-click the Certificate Templates folder and issue the template that you just created. Now go to your ADCS web site and you should be able to see you custom template now. I know what about the 2008 Templates... Your AD forest level will need to be raised to 2008 R2 for the ADCS web to show the newer 2008 Custom Templates. Good Luck my hard earned .2 cents. I hope this helps someone out there because it took me weeks to figure this out.

    Carlos Rodriguez

    Caro1008@hotmail.com

    ReplyDelete
  4. Thank you Carlos for your valuable input and hope it helps the community.

    Cheers!!

    ReplyDelete
  5. My problem is I am trying to create the certificate request on Server 2012. It has been promoted to a DC in an existing domain. Existing domain is SBS2008 domain with Exchange 2007 SP2.
    The SBS box is operating at the highest functional level 2008 domain and forest. It has had domain prep and forest prep run against it as there is a secondary DC running Server 2008 with Exchange 2010. Otherwise the issue I have is exactly the same as described. I cannot see webserver. I can open the AD CS console and enable certificate templates but not sure which one I should select as there is no web server template.

    ReplyDelete
  6. Thanks VirtualCloudz. This was very helpful. Worked for me

    ReplyDelete
  7. Here's another reason why it might not appear. Go to the Subject Name tab in the template's properties. If "Build from this Active Directory information" is selected, switch it to "Supply in the request."

    ReplyDelete
  8. It worked like a charm- Tx!

    BTW in my case it worked out of the box for Domain built-in administrator account. We have to do this for delegated admins etc.

    ReplyDelete
  9. Thanks Carlos & virtualcoulds. you make my day a little bit easier :-)

    ReplyDelete