Troubleshooting Certificate Templates
Applies To: Windows Server 2008 R2
This section lists a few common issues you may encounter when using the Certificate Templates snap-in or working with certificate templates. For more information about troubleshooting and resolving problems with certificate templates, see Active Directory Certificate Services Troubleshooting (http://go.microsoft.com/fwlink/?LinkId=89215).
What problem are you having?
The Certificate Templates snap-in does not list any templates after prompting to install new certificate templates
Certificates are not being issued to clients
Certificates are issued to subjects, but cryptographic operations with those certificates fail
Domain controllers are not obtaining a domain controller certificate
Clients are unable to obtain certificates via autoenrollement
Names of certificate templates in the snap-in are inconsistent between views or windows
The private key cannot be exported from smart card certificates, even when Allow private key to be exported is selected in the certificate template
The certificate template is modified, but some certification authorities (CAs) still have the unmodified version
The private key is not being archived even though I selected the Archive subject's encryption private key option and configured the CA to require key recovery
Autoenrollment is prompting me to renew a certificate that isn't mine, and I have certificates in my Personal certificate store that I didn't put there
The Certificate Templates snap-in does not list any templates after prompting to install new certificate templates.
Cause: The certificate templates have not yet replicated to the certification authority (CA) that the computer is connected to. This replication is part of Active Directory replication.
Solution: Wait for the certificate templates to replicate and then reopen the Certificate Templates snap-in.
Certificates are not being issued to clients.
Cause: The issuing certificate used by the certification authority (CA) has a shorter remaining lifetime than the template overlap period configured for the request certificate template. This means that the issued certificate would be immediately eligible for re-enrollment. Instead of issuing and continuously renewing this certificate, the certificate request is not processed.
Solution: Renew the issuing certificate used by the CA.
Certificates are issued to subjects, but cryptographic operations with those certificates fail.
Cause: The cryptographic service provider (CSP) does not match key usage settings or does not exist.
Solution: Confirm that you set the CSP in the template to one that supports the type of cryptographic operation that the certificate will be used for.
Domain controllers are not obtaining a domain controller certificate.
Cause: Autoenrollment has been disabled by using Group Policy settings for domain controllers. Domain controllers obtain their certificates through autoenrollment.
Solution: Enable autoenrollment for domain controllers.
Cause: The default Automatic Certificate Request setting for domain controllers has been removed from the Default Domain Controllers policy.
Solution: Create a new Automatic Certificate Request in the Default Domain Controllers policy for the Domain Controller certificate template.
Clients are unable to obtain certificates via autoenrollement.
Cause: Security permissions must be set to allow intended subjects to both enroll and autoenroll on the certificate template. Both permissions are required to enable autoenrollment.
Solution: Modify the discretionary access control list (DACL) on the certificate template to grant Read, Enroll, and Autoenroll permissions for the subjects that you want.
Names of certificate templates in the snap-in are inconsistent between views or windows.
Cause: Active Directory Sites and Services is being used to view the certificate templates. This snap-in may not provide as accurate a display as Certificate Templates.
Solution: Use the Certificate Templates snap-in to administer certificate templates.
The private key cannot be exported from smart card certificates, even when Allow private key to be exported is selected in the certificate template.
Cause: Smart cards do not allow private keys to be exported once they are written to the smart card.
The certificate template is modified, but some certification authorities (CAs) still have the unmodified version.
Cause: Certificate templates are replicated between CAs with the Active Directory replication process. Because this replication is not instantaneous, there may be a short delay before the new version of the template is available on all CAs.
Solution: Wait until the modified template is replicated to all CAs. To display the certificate templates that are available on the CA, use the Certutil.exe command-line tool.
The private key is not being archived even though I selected the Archive subject's encryption private key option and configured the CA to require key recovery.
Cause: Private keys will not be archived when the key usage for the certificate template is set to Signature. This is because the digital signature usage requires the key to not be recoverable.
Autoenrollment is prompting me to renew a certificate that isn't mine, and I have certificates in my Personal certificate store that I didn't put there.
Cause: When using the smart card enrollment station on the administrator's computer to renew or change the certificate stored on the smart card, the certificate from the smart card is copied to the administrator's private certificate store. This certificate may be processed by autoenrollment and prompt you to begin the renewal process.
Solution: Click Start to begin the autoenrollment renewal process. Because the certificate is not yours, the autoenrollment process will end after you click Start. If you want to remove the certificates from your Personal certificate store, they can be deleted manually.