Installing Certificate Authority On Member Server

IES Sys Admin 1 Reputation point
2022-11-01T17:25:44.617+00:00

Greetings,

I am building a new domain and I need to create a Certificate Authority for a number of reasons. I know it is not good practice to install CA on a domain controller. I have installed the CA Role on one of my member servers. In the Certificate Templates section it has all the required templates I need.

Issue I am having is if I go to the Certificates on one of my local computer and Request a new Certificate to get a Domain Computer certificate, when I select Active Directory Enrollment Policy, it shows there are no templates to selection.

Is the DC not talking to the CA? How are they connected? And why are there no Certificate Types to select from as they all say UNAVAILABLE.

Did I install the CA role incorrectly?

Thanks.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,766 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 20,461 Reputation points Microsoft Vendor
    2022-11-07T06:56:30.36+00:00

    Hello IESSysAdmin-1344,

    Thank you for posting in our Q&A forum.

    Usually, we should check the permissions on the certificate template.

    1.Logon the CA server and open Certification Authority console.
    2.Open Certificate Template Console.
    3.Usually, we do not change the default certificate template setting, if we need to use one certificate template, we can duplicate (right click this certificate template and select "Duplicate Template") it and configure the corresponding certificate template setting based on your own requirements.
    4.Especially, we should set the permissions on certificate template Security tag.
    If it is a machine certificate template, we should give the machine account or the group including this machine Read and Enroll permissions.

    For example:

    Here is a Web Server certificate template that I duplicated, I give "Domain Computers" Read and Enroll permissions.

    257724-permi.png

    5.Issue certificate template to "Certificate Templates" container.
    257765-aaaaaaa.png

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments No comments