After creating a certificate template, I had a problem enabling it in the CA. While the certificate template appeared in the Certificate Templates console, it couldn't be enabled. The certificate template just wasn't appearing in the Certification Authority MMC snapin.
I tried using the certutil.exe command to enable the certificate template manually
certutil.exe -SetCATemplates VMware-SSL
Unfortunately, same problem: certificate template wasn't enabled, but this time I got a deceptive and nonsensical error message complaining that the "parameter" was "incorrect".
CertUtil: -SetCATemplates command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER).
CertUtil: The parameter is incorrect.
When you create a certificate template, it needs time to replicate to all domain controllers. A certificate template is just another object in Active Directory, just like a user or computer account. So if the certificate template doesn't appear immediately, just wait the same amount of time you'd wait for a user to replicate across your DCs.
Back to our problem: why isn't the certificate template appearing? Well, it turns out that every online certificate enrolment service has to have contacted Active Directory and downloaded the certificate templates before it can be enabled. If you've previously configured an issuing CA and then destroyed it without cleaning up its entries, you'll never be able to enable the certificate template.
Performing a cleanup of issuing CAs in Active Directory Certificate Services
It's ADSI Edit Time!
Open ADSI Edit and connect to the Configuration context.
If you see the names of OUs, you connected to the wrong context.
Navigate to CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration in your domain.
CN=Certification Authorities contains your root CAs and CN=Enrollment Services contains your issuing CAs. If there are any extra CAs listed that no longer exist, you'll need to delete them.
In my case, I had an additional issuing CA in CN=Enrollment Services that no longer existed. When I deleted the CA, I could enable the template.
 |
| It appears in Certificate Templates.. |
 |
| ...but you can't enable it. Because it doesn't appear. IT JUST DOESN'T APPEAR. WHY??!?!?!?!?!?!?! WHERE ARE THE ERROR MESSAGES MICROSOFT?!?!?!? |
certutil.exe -SetCATemplates VMware-SSL
Unfortunately, same problem: certificate template wasn't enabled, but this time I got a deceptive and nonsensical error message complaining that the "parameter" was "incorrect".
CertUtil: -SetCATemplates command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER).
CertUtil: The parameter is incorrect.
When you create a certificate template, it needs time to replicate to all domain controllers. A certificate template is just another object in Active Directory, just like a user or computer account. So if the certificate template doesn't appear immediately, just wait the same amount of time you'd wait for a user to replicate across your DCs.
Back to our problem: why isn't the certificate template appearing? Well, it turns out that every online certificate enrolment service has to have contacted Active Directory and downloaded the certificate templates before it can be enabled. If you've previously configured an issuing CA and then destroyed it without cleaning up its entries, you'll never be able to enable the certificate template.
Performing a cleanup of issuing CAs in Active Directory Certificate Services
It's ADSI Edit Time!
Open ADSI Edit and connect to the Configuration context.
 |
| Select a well known Naming Context like Configuration, or Paul, or Jimmy. |
Navigate to CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration in your domain.
CN=Certification Authorities contains your root CAs and CN=Enrollment Services contains your issuing CAs. If there are any extra CAs listed that no longer exist, you'll need to delete them.
In my case, I had an additional issuing CA in CN=Enrollment Services that no longer existed. When I deleted the CA, I could enable the template.
 |
| Yes! |
But I want to do everything from the command line because I want to use Server Core in the future.
 |
| Now you understand why the original error message "The Parameter is incorrect" is deceptive. This is the same command that was run last time. |
Unfortunately there are no event log error messages for this error. Microsoft just expect you to figure it out.
No comments:
Post a Comment