This section lists a few common issues you may encounter when using the Certificate Templates snap-in or working with certificate templates. For more information about troubleshooting and resolving problems with certificate templates, see Active Directory Certificate Services Troubleshooting (http://go.microsoft.com/fwlink/?LinkId=89215).
What problem are you having?
- The Certificate Templates
snap-in does not list any templates after prompting to install new
certificate templates
- Certificates are not being
issued to clients
- Certificates are issued to
subjects, but cryptographic operations with those certificates
fail
- Domain controllers are not
obtaining a domain controller certificate
- Clients are unable to
obtain certificates via autoenrollement
- Names of certificate
templates in the snap-in are inconsistent between views or
windows
- The private key cannot be
exported from smart card certificates, even when Allow private key
to be exported is selected in the certificate template
- The certificate template is
modified, but some certification authorities (CAs) still have the
unmodified version
- The private key is not
being archived even though I selected the Archive subject's
encryption private key option and configured the CA to require key
recovery
- Autoenrollment is
prompting me to renew a certificate that isn't mine, and I have
certificates in my Personal certificate store that I didn't put
there
The Certificate Templates snap-in does not list any templates after prompting to install new certificate templates.
- Cause: The certificate templates have
not yet replicated to the certification authority (CA) that the
computer is connected to. This replication is part of Active
Directory replication.
- Solution: Wait for the certificate
templates to replicate and then reopen the Certificate Templates
snap-in.
Certificates are not being issued to clients.
- Cause: The issuing certificate used by
the certification authority (CA) has a shorter remaining lifetime
than the template overlap period configured for the request
certificate template. This means that the issued certificate would
be immediately eligible for re-enrollment. Instead of issuing and
continuously renewing this certificate, the certificate request is
not processed.
- Solution: Renew the issuing
certificate used by the CA.
Certificates are issued to subjects, but cryptographic operations with those certificates fail.
- Cause: The cryptographic service
provider (CSP) does not match key usage settings or does not
exist.
- Solution: Confirm that you set the CSP
in the template to one that supports the type of cryptographic
operation that the certificate will be used for.
Domain controllers are not obtaining a domain controller certificate.
- Cause: Autoenrollment has been
disabled by using Group Policy settings for domain controllers.
Domain controllers obtain their certificates through
autoenrollment.
- Solution: Enable autoenrollment for
domain controllers.
- Cause: The default Automatic
Certificate Request setting for domain controllers has been removed
from the Default Domain Controllers policy.
- Solution: Create a new Automatic
Certificate Request in the Default Domain Controllers policy for
the Domain Controller certificate template.
Clients are unable to obtain certificates via autoenrollement.
- Cause: Security permissions must be
set to allow intended subjects to both enroll and autoenroll on the
certificate template. Both permissions are required to enable
autoenrollment.
- Solution: Modify the discretionary
access control list (DACL) on the certificate template to grant
Read, Enroll, and Autoenroll permissions for the subjects that you
want.
Names of certificate templates in the snap-in are inconsistent between views or windows.
- Cause: Active Directory Sites and
Services is being used to view the certificate templates. This
snap-in may not provide as accurate a display as Certificate
Templates.
- Solution: Use the Certificate
Templates snap-in to administer certificate templates.
The private key cannot be exported from smart card certificates, even when Allow private key to be exported is selected in the certificate template.
- Cause: Smart cards do not allow
private keys to be exported once they are written to the smart
card.
- Solution: None
The certificate template is modified, but some certification authorities (CAs) still have the unmodified version.
- Cause: Certificate templates are
replicated between CAs with the Active Directory replication
process. Because this replication is not instantaneous, there may
be a short delay before the new version of the template is
available on all CAs.
- Solution: Wait until the modified
template is replicated to all CAs. To display the certificate
templates that are available on the CA, use the Certutil.exe
command-line tool.
The private key is not being archived even though I selected the Archive subject's encryption private key option and configured the CA to require key recovery.
- Cause: Private keys will not be
archived when the key usage for the certificate template is set to
Signature. This is because the digital signature usage requires the
key to not be recoverable.
- Solution: None
Autoenrollment is prompting me to renew a certificate that isn't mine, and I have certificates in my Personal certificate store that I didn't put there.
- Cause: When using the smart card
enrollment station on the administrator's computer to renew or
change the certificate stored on the smart card, the certificate
from the smart card is copied to the administrator's private
certificate store. This certificate may be processed by
autoenrollment and prompt you to begin the renewal process.
- Solution: Click Start to begin
the autoenrollment renewal process. Because the certificate is not
yours, the autoenrollment process will end after you click
Start. If you want to remove the certificates from your
Personal certificate store, they can be deleted manually.