This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
Every time I deploy Exchange Server I need to create and install a web server certificate on the mail server: for this the copy of the built-in Web Server certificate template is made and - after minor modifications - the Exchange Server's certificate must be created based on that modified certificate template. I've never had any issues when doing it. Now when I deployed the WinServer 2022 DC for the first time and installed the CA and the Web Enrollment on it I got this:
1) if I try to request the Exchnage Server's certificate (on the https://dc.domain.com/certsrv) from the DC - I see only the two certificate templates:
2) when I connect to the same page from the exchange server I see more certificate templates...
...including the buil-it Web Server certificate template - but still does NOT see the Contoso Web Server certificate which is the copy od the built-in Web Server certificate!
...don't have any ideas what can be wrong here... :(
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
@Mikhail Firsov It is difficult to reproduce your problem based on this message, I suggest you open a case via: https://support.microsoft.com, one of our engineers will help try to find the root cause.
Hi,
what is the version of the Contonso Web Server template? Only v1 and v2 templates are allowed in Web Enrollment Pages see https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/cng-templates-not-appear-certificate-web-enrollment for more information
Martin
Hi SamWu,
"It is difficult to reproduce your problem based on this messageemphasized text" - why? If there's a Windows Server
2022 DC+CA at hand it's a matter of minutes to reach for the https://dc.../certsrv and at least to see whether the Web Server template is available or not -any domain admin must see this template...
P.S. Can anyone tell me what defines whether the certificate template is available for selection on the wewb enrollment page or not?
I know only one parameter - the Security settings (Read+Enroll). Is there any else?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 66%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHS%3C/text%3E%3C/svg%3E)
Web enrolment does not support v3/v4 (schema version) certificate templates. You have to submit the request through "command line".
Hi SamWu-MSFT,
"what is the version of the Contonso Web Server template? Only v1 and v2 templates are allowed in Web Enrollment Pages" - v4 (this time I've selected Windows Server 2016 on the template's properties page).
After re-issuing the template as v2 it did not appear in the template's list until I've granted Authentication Users the Read and the Enroll permissions, which I've never done before! So you were right - v4 don't work at all ALTHOUGH THE ARTICLE YOU MENTIONED ABOVE APPLIES ONLY TO Windows Server 2008/2012!!!
There's, however, one question left: why do the different templates show up differently on the Web Enrollment page?
In other words: why does the Web Server template not require the Authentication Users\Enroll permission while the copy (v2) of this template - Contoso Web Server does require? I'm requesting those certificates as domain\enterprise admin so theoretically I should NOT need the extra permission for the Authenticated Users group (and I've never done it before)?
You really should NOT grant authenticated users enroll right, this would mean that anyone can issue a certificate. Perhaps try to add Enroll right directly to your account, or specific group, try to avoid using groups that need elevated application rights (UAC).
Martin
"You really should NOT grant authenticated users enroll right, this would mean that anyone can issue a certificate." - I know but in WinServer 2022 it was the only method to issue a certificate - maybe it's a bug, I'm opening a case with MS right now.
