When you launch the certificate templates MMC snap-in (certtmpl.msc) for the first time, the certificate templates are installed automatically in the background. Installing the templates is independent of the availability of an enterprise CA. Enterprise Administrator permissions are required to successfully install the templates.
That’s nice and convenient but what happens if you accidentally deleted the template objects from Active Directory? The templates can be viewed and also deleted (with appropriate permissions) through the Active Directory Sites and Services MMC snap-in (dssites.msc) or any other LDAP client can be used.
So, what to do if the templates or the OID container have disappeared? With a single command-line, you can get them back. As prerequisite to install the certificate templates you must have create child access to the template container in Active Directory which is the default setting for an enterprise administrator.
If you are running Windows Server 2003, use the following command with enterprise administrator permissions:
regsvr32 /i:i /n certcli.dll
If you have Windows Vista or Windows Server 2008 already in place, certutil.exe understands a new verb to re-install the templates. Certutil is included in all Windows Vista SKUs by default.
After performing one of the above commands you must restart the CA service.
The following two knowledgebase articles describe scenarios where re-installation of certificate templates can make sense:
- You receive an error message, and event ID 53 is logged when a client computer requests a certificate from a Windows Server 2003 SP1-based CA (http://support.microsoft.com/kb/932457).
- Event ID 77 is logged in the Application log when the CertSvc service starts on a CA server that is running Windows Server 2003 with Service Pack 1 (http://support.microsoft.com/kb/931354).