Under some circumstances after installation Windows Enterprise Operating System and configuration of AD Certification Services as Enterprise CA, the CA Services still doesn’t allow publication of certificate templates in versions higher than V1. This is because of misconfiguration of registry entries, which determines type of CA installation as Standard.
The solution for this problem is proper setup of bit flag in the CA configuration. It can be done with following command:
1 | certutil -setreg ca\setupstatus +512 |
After registry update, there is necessity of restart CA service.
More over, there is possibility of manual edition of the templates list, which is used by CA for certificates enrollment. It is possible by edition of attribute
1 | certificateTemplates |
in object
1 | pKIEntrollmentService |
. These objects are available under following path
1 | CN=Internal Issuing CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=contonso,DC=lab |