Not able to Duplicate Certificate Template

  • Article

In past I’ve worked on a case where in the customer couldn’t duplicate Certificate template, even though the Windows operating system was Windows 2003 Enterprise edition. Here, I’m sharing the resolution of that case.

Problem:

Couldn’t duplicate Certificate template on Windows 2003 Enterprise Edition Member server CA.

Troubleshooting:

We made sure that all requirements for Certificate Template Duplication are full filled, including followings:

1. The active directory schema was upgraded to W2k3 using ADPREP.

2. The CA, was Enterprise Root CA.

3. The member server was running Windows 2003 Enterprise edition.

4. We were logged in as Domain Admin and enterprise admin.

The enterprise admin and domain admin should have full control on the following objects in AD;

· Full control permissions over the CN=Certificate Templates, CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain" container

· Full control permissions over the CN=OID,CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain container

· Full Control permissions for each certificate template object in the CN=Certificate Templates, CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain" container

When we looked at adsiedit we found that CN=OID was missing.

We did auth restore of CN=OID,CN=Public Key Services,CN=Services,CN=Configuration, DC=ForestRootDomain container using NTDSUTIL. In my case customer didn’t had System State data backup, so we manually created it.

clip_image002

Explanation:

The Windows Server 2003 family adds some additional object identifier containers (also known as OID) to the configuration container. Because object identifiers are not hardcoded in version 2 (V2) templates, object identifier containers are required to work with V2 templates. Only clients running Windows XP and later may resolve object identifiers in Active Directory to friendly names.

CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=

Reference:

1. Certificate Template Overview.

https://technet.microsoft.com/en-us/library/cc787721.aspx

2. KB 949664  Error message when you try to duplicate a certificate template in the certificate template store: "The Computer certificate template could not be duplicated The system cannot find the file specified"

https://support.microsoft.com/default.aspx?scid=kb;EN-US;949664

3. 287547  Object IDs associated with Microsoft cryptography

https://support.microsoft.com/default.aspx?scid=kb;EN-US;287547

4. Appendix A: Directory Objects.

https://technet.microsoft.com/en-us/library/cc786765.aspx