Server 2019 CA, ECHE cert template does not show, certsrv

Mark 21 Reputation points
2021-03-02T23:16:23.817+00:00

Hi, I recently created a tier 1 pki using ECDE_P256 as the key exchange algorithm instead of RSA with ECDSA as the signing algorithm on server 2019. I found an interesting bug where if i created a certificate template (duplicated from web server or user or computer) increased the CA and recipient compatibility to 20082, ( i have to do this otherwise under Cryptography it doesn't give me the option to change the provider category from legacy) changed the provider to "key storage provider",algorithm name to ECDH_P256 and published the template it would not show under web enrollment in a browser. Using MMC is fine. Has anyone encountered this before and such has a means to remediate it. Web enrollment is a nice to have. Thanks

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,772 questions
{count} votes

Accepted answer
  1. Vadims Podāns 9,116 Reputation points MVP
    2021-03-10T07:14:10.48+00:00

    Has anyone encountered this before and such has a means to remediate it.

    what you are facing -- is expected and be design. Templates with Key Storage Provider are not supported by web enrollment and will never do. Web enrollment pages are no longer recommended for use because of huge limitations. Use Certificate MMC instead.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Daisy Zhou 20,551 Reputation points Microsoft Vendor
    2021-03-03T06:52:28.393+00:00

    Hello @Mark ,

    Thank you for posting here.

    I have done such test in my lab, I can not see the certificate template via certsrv web page, either.

    Usually, if we select "Supply in the request" under "Subject Name" and set the proper permission, we will see this cert template via certsrv web page.

    73683-s.png

    Not sure if it is related to unsupported CSP on certsrv web page.
    73619-csp1.png

    I am sorry, I did find the reason for this.

    Best Regards,
    Daisy Zhou

    0 comments No comments

  2. Mark 21 Reputation points
    2021-03-10T18:08:28.953+00:00

    Hi,

    I appreciate both replies.
    I understand that this cannot be supported using web enrollment which is okay.

    Thank you

    0 comments No comments