Installing Certificate Authority On Member Server

Question

Greetings,

I am building a new domain and I need to create a Certificate Authority for a number of reasons. I know it is not good practice to install CA on a domain controller. I have installed the CA Role on one of my member servers. In the Certificate Templates section it has all the required templates I need.

Issue I am having is if I go to the Certificates on one of my local computer and Request a new Certificate to get a Domain Computer certificate, when I select Active Directory Enrollment Policy, it shows there are no templates to selection.

Is the DC not talking to the CA? How are they connected? And why are there no Certificate Types to select from as they all say UNAVAILABLE.

Did I install the CA role incorrectly?

Thanks.

Answer 1

Hello IESSysAdmin-1344,

Thank you for posting in our Q&A forum.

Usually, we should check the permissions on the certificate template.

1.Logon the CA server and open Certification Authority console.
2.Open Certificate Template Console.
3.Usually, we do not change the default certificate template setting, if we need to use one certificate template, we can duplicate (right click this certificate template and select "Duplicate Template") it and configure the corresponding certificate template setting based on your own requirements.
4.Especially, we should set the permissions on certificate template Security tag.
If it is a machine certificate template, we should give the machine account or the group including this machine Read and Enroll permissions.

For example:

Here is a Web Server certificate template that I duplicated, I give "Domain Computers" Read and Enroll permissions.

5.Issue certificate template to "Certificate Templates" container.

Hope the information above is helpful.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.