Unable to see certificate templates in CertSrv
Posted by Joe Thompson on June 14, 2011
I came across a really frustrating issue yesterday while trying to generate a new certificate through a Microsoft CA running on Windows Server 2008. I’ll describe the symptoms first in case anyone else is experiencing the same issue before outlining the fix.
The first step was to generate a CSR from the server holding the website we needed the certificate for. A bit of confusion about how to do this in IIS 7.0 ensued but was resolved relatively quickly (see other post for more info…) – so far so good.
Next stop was to generate a certificate from the CSR. Usually, I connect to the certificate server via a web browser using the standard MS URL(http://servername/certsrv) but this time I kept being blocked by a login prompt. Using the same login credentials I had logged onto the server with, after three attempts I received a “401 – Unauthorized: Access is denied due to invalid credentials” error.
So, next I jumped onto the certificate server itself to see where I was being denied access. Log on was fine, so no denied access to the server itself. Open IIS, check the paths to the CertSrv folders, all access and permissions seem to be fine. Open a browser on the certificate server, connect to the same URL, still the same problem???
Ok, so how else can I access this site. Back into IIS and navigate down to the CertSrv virtual directory. Using the Manage Application menu in IIS, I first tried “Browse *:80 (http)” – same result – then “Browse *:443 (https)” – success!!!
Or so I thought…
In fact, as I followed the certificate generation process through (Request a certificate > Submit a request using….) I first received an error:
On clicking ok, I was unable to choose any templates to generate the certificate with:
Ok – so using https isn’t working then. What do I do with this?
After much, much trawling around the internet, and seeing quite a few others with similar problems but none with a solution, I stumbled across one suggestion that the application pool identity needed changing to NetworkService.
The site in question suggested created a new app pool separate from the DefaultAppPool to prevent disrupting any other sites, but as this server is a dedicated certificate authority, I knew that there was little chance of upsetting anything else:
Simply changing the setting seemed to resolve the issue, however to be on the safe side you may want to recycle the app pool or even run an IIS reset to refresh everything.
I hope this is of benefit to someone else because it had me stumped for hours!!