As some of you know, a lot of my background is in the world of Public Key Infrastructure.  I’ve been involved in every phase of PKI, including developing certification authority and ASN.1/DER encoding/decoding software, developing automated registration authority components, creating certificate policies and certification practices statements, as well as designing and rolling out production PKIs for large organizations.

Increasingly, organizations are turning to the use of Active Directory Certificate Services, otherwise known as Microsoft Certificate Services.  The reasons are many: it’s included with the purchase of your Windows Server product, it’s easy to configure and use, and did I mention it doesn’t cost any (additional) money?  The Microsoft product is a fairly good one and provides for a lot of customization and configuration so that it can be useful in just about every environment.  We use this product for our company-issued certificates which are used to encrypt email.

Last year we upgraded our Certification Authority (CA) to Windows 2008 and immediately encountered a minor issue: we couldn’t add some of our custom templates so that the CA would allow them to be issued.  Our need to change templates is infrequent, so we’ve been living with this “issue” for about a year now.  If you Google for cannot create new certificate template to issue you will find over 70K hits, and the majority of them are all answered the same way: “Are you running Windows Server Enterprise Edition?”  For Microsoft Certificate Server on Windows 2000 and Windows 2003 servers, the Enterprise edition is required in order to issue certificate with your own custom templates.  The answer in our case was yes – we are running Enterprise edition.  Additionally, I understand that Windows 2008 R2 has removed this restriction, and you can issue certificates on custom templates from Standard edition as well!

Today I was able to find an excellent troubleshooting tutorial from the Directory Services team at Microsoft called How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in. This step-by-step guide led me to the answer I had been seeking for over a year.

After you have verified that you actually have an Enterprise CA, let’s look at the CA object in ADSIEdit.msc and make sure the flag that identifies it as an Enterprise CA is set correctly. It is very unusual to see the flag set incorrectly, but all the same it is possible. As we did before, launch ADSIEdit.msc, then expand CN=Configuration | CN=Services | CN=Public Key Services | CN=Enrollment Services. Right click the CA in the right pane that you want to enroll from and click properties. Find the flags attribute; and verify that it is set to 10. If it isn’t set to 10, then set it to 10 using ADSIedit.msc and allow for Active Directory replication to complete.

This was exactly our issue. For whatever reason, our flags attribute was set to “2” instead of “10”.  Making this change and forcing replication allowed me to add all the certificate templates that appeared in my certificate templates management screen.  I hope this bit of information is helpful to someone in the future!