Troubleshooting Certificate Web Enrollment: Missing CNG Templates in Windows Server V3

Table of Contents

This article addresses a specific scenario where Certificate Templates configured with Version 3, often referred to as CNG (Cryptography Next Generation) templates, do not appear in the template selection dropdown menu on the Microsoft Certificate Services web enrollment page. This prevents users from requesting certificates based on these newer templates through the web interface. While other enrollment methods remain functional for these templates, the web enrollment path is blocked. Understanding this behavior and the available options is crucial for effective certificate lifecycle management in a Windows Server environment.

Symptoms¶

When attempting to request a certificate using the Certificate Services web enrollment interface (http://<YourCA>/certsrv) on a Windows Server-based Certificate Authority (CA), users navigate to the “Request a certificate” page and then select “advanced certificate request”. Upon reaching the advanced request page, they expect to see a list of available certificate templates in a dropdown menu. However, if a certificate template is configured as Version 3 (CNG), it will not be listed in this dropdown, making it impossible to request a certificate from that template via this method. This issue specifically impacts only the web enrollment interface.

Crucially, the same Version 3 templates can be successfully requested and enrolled using alternative methods. These include using the Certificates MMC snap-in (certmgr.msc), command-line tools like certreq.exe, script-based enrollment, or automatic enrollment configured via Group Policy. This distinction confirms that the template itself is valid and accessible, and the issue is localized to the web enrollment component. Before concluding that this specific issue is the cause, it’s essential to rule out other common reasons why a template might not appear or be requestable, such as the CA not being an Enterprise CA, the requesting user lacking “Read” or “Enroll” permissions on the template in Active Directory, or the template not being issued by the CA.

Cause¶

The observed behavior, where Version 3 templates do not appear in the Certificate Services web enrollment dropdown, is by design. Microsoft intentionally limits the templates displayed in the web enrollment interface. This limitation stems from the inherent complexity and advanced configuration options available in Version 3 templates compared to their predecessors (Version 1 and Version 2).

Version 3 templates introduce features leveraging Cryptography Next Generation (CNG), which offers greater flexibility in cryptographic algorithm support, key storage options, and other parameters. The legacy Certificate Services web enrollment interface was developed before the advent of these CNG-specific features and is not equipped to handle the dynamic requirements and diverse options presented by Version 3 templates. Attempting to request a V3 template through this interface could lead to incomplete or improperly configured certificate requests due to the lack of necessary UI elements or underlying logic to gather all required parameters from the user or the environment.

Resolution¶

Since the limitation is by design due to the technical constraints of the web enrollment interface with Version 3 templates, the recommended resolution is straightforward: use an alternative certificate enrollment method. The Certificate Services web enrollment page is not the only, nor always the most suitable, way to request certificates in a Windows environment. Modern certificate management often relies on more robust and feature-rich methods.

Approved and fully supported alternative methods for requesting certificates, including those based on Version 3 templates, include:

1. Certificates MMC Snap-in (certmgr.msc): Users can open the Certificates snap-in (for their user account or the computer account), navigate to the Personal certificate store, right-click, and select “Request New Certificate…”. This wizard allows browsing and selecting available templates, including Version 3 templates, and provides the necessary interface for configuration.
2. Command-Line Tool (certreq.exe): This is a powerful command-line utility used to request certificates from a CA. It can be used to create, submit, and accept certificate requests. This method is highly flexible and often used for scripting or automated enrollment processes. It fully supports V3 templates.
3. Automatic Enrollment via Group Policy: For domain-joined computers and users, the most scalable and recommended method is often configuring autoenrollment via Group Policy. Administrators can configure policies to automatically request, renew, and install certificates based on specific templates, including Version 3 templates, without user intervention.
4. Scripting: Using COM objects or PowerShell cmdlets (Get-Certificate, Import-Certificate, etc.), administrators can write scripts to automate certificate requests programmatically, offering fine-grained control and full support for V3 templates.

These alternative methods provide the necessary framework and interfaces to properly handle the advanced features and requirements of Version 3 CNG templates, ensuring successful and correctly configured certificate issuance.

More Information: Understanding Version 3 Templates and the Web Enrollment Limitation¶

To fully grasp why Version 3 templates pose a challenge for the older web enrollment interface, it’s helpful to understand the evolution of certificate templates in Windows Server Active Directory Certificate Services (AD CS).

Certificate Template Versions: A Brief Overview¶

• Version 1 Templates: The simplest template type, primarily used in Windows 2000 Server. They offer limited configuration options directly on the template itself. Many parameters are determined by the CA’s configuration.
• Version 2 Templates: Introduced in Windows Server 2003, Version 2 templates are significantly more powerful and flexible. They allow administrators to configure most certificate options directly within the template properties in Active Directory. This includes key usage, application policies, subject name formats, validity periods, renewal policies, and more. These templates are widely supported by all standard enrollment methods, including the Certificate Services web enrollment page.
• Version 3 Templates: Introduced in Windows Server 2008, Version 3 templates build upon Version 2 but introduce specific support for Cryptography Next Generation (CNG). CNG is Microsoft’s long-term replacement for the legacy CryptoAPI (CAPI). CNG offers several advantages, including:
  • Support for newer cryptographic algorithms (like ECC - Elliptic Curve Cryptography).
  • Enhanced key isolation and protection features.
  • More flexible key storage options (e.g., software keys, hardware modules supporting CNG).
  • Ability to specify CSPs (Cryptographic Service Providers) or KSPs (Key Storage Providers) more precisely.

When a template is configured as Version 3, it leverages these CNG capabilities. The template definition in Active Directory contains specific attributes and flags that signal its Version 3 status and potentially specify CNG-specific parameters (like the KSP to use).

Why Web Enrollment Fails for V3¶

The Certificate Services web enrollment interface (certsrv) is a legacy component, largely unchanged since its introduction. It was designed to interact with CryptoAPI (CAPI) and the features exposed by Version 1 and Version 2 templates. It lacks the necessary code and user interface elements to:

• Recognize and correctly interpret all CNG-specific flags and parameters present in a Version 3 template.
• Provide users with options related to CNG features (e.g., selecting a specific KSP, configuring key properties in a CNG-specific manner).
• Handle the underlying cryptographic operations using CNG APIs required for V3 template requests.

As a result, when the web enrollment component enumerates available templates, it filters out Version 3 templates because it knows it cannot process requests based on them correctly. This is the “by design” limitation.

The Potential Workaround (Proceed with Extreme Caution)¶

The original article mentions a possible workaround involving modifying the template schema version in Active Directory. It is crucial to reiterate that this method is not officially supported for production environments without extensive testing and understanding of the potential consequences. This workaround essentially tricks the web enrollment interface into seeing the Version 3 template by misrepresenting its version number in Active Directory.

Understanding the Workaround¶

The workaround involves using ADSI Edit to directly modify the msPKI-Template-Schema-Version attribute for the specific Version 3 template in Active Directory from 3 to 2. When the Certificate Services web enrollment page queries Active Directory for available templates, it checks this attribute. By changing it to 2, the web interface includes the template in its list, assuming it’s a standard Version 2 template it can handle.

Steps for the Workaround (High Risk - Test Thoroughly)¶

Disclaimer: These steps modify Active Directory configuration and should only be attempted in a test environment with a full understanding of the risks. Modifying AD attributes incorrectly can cause severe issues.

1. Access ADSI Edit: Log on to a server or workstation with the Active Directory Domain Services tools installed (a Domain Controller is often convenient, but not required). Open the Run dialog (Windows Key + R), type adsiedit.msc, and press Enter.
2. Connect to Configuration: In the ADSI Edit console, right-click the “ADSI Edit” node in the left pane and select “Connect to…”. In the “Connection Settings” dialog, under “Connection Point”, select “Configuration” from the dropdown menu. Leave the default naming context or specify your configuration partition if needed. Click “OK”.
3. Navigate to Certificate Templates: Expand the connected “Configuration” node in the left pane. Navigate through the following path: CN=Configuration,DC=...,DC=... -> CN=Services -> CN=Public Key Services -> CN=Certificate Templates.
4. Locate the Target Template: In the right-hand details pane, find the specific Version 3 certificate template object that you want to appear in the web enrollment interface. Double-click the template object’s name.
5. Modify the Attribute: In the template’s properties window, scroll down the list of attributes until you find msPKI-Template-Schema-Version. Select this attribute and click the “Edit” button, or simply double-click the attribute name.
6. Change the Value: The “Integer Attribute Editor” will open. The current value should be 3. Change the value in the “Value” field from 3 to 2. Click “OK”.
7. Apply Changes: Back in the template’s properties window, click “Apply” and then “OK”. This change is made directly in Active Directory and replicates throughout the domain.
8. Refresh CA and Web Server (Optional but Recommended): To ensure the CA and the web enrollment server pick up the change promptly, you might need to restart the Active Directory Certificate Services service on the CA and potentially reset IIS on the server hosting the web enrollment pages (iisreset from command prompt). However, AD changes should eventually replicate and be picked up automatically.
9. Test Web Enrollment: Go back to the Certificate Services web enrollment page (http://<YourCA>/certsrv), navigate to the advanced request page, and check if the modified template now appears in the dropdown menu.

Risks and Caveats of the Workaround¶

• Unsupported Configuration: Modifying the template schema version to misrepresent its actual capabilities is an unsupported configuration. Microsoft support may require you to revert this change if you encounter issues.
• Incomplete Certificates: While the template may now appear, the web enrollment interface still cannot properly handle all the underlying CNG features. The resulting certificate request might be incomplete or use default values for CNG parameters that you cannot control through the web interface. This could lead to certificates that do not function as intended.
• Loss of CNG Benefits: By requesting a Version 3 template as if it were a Version 2 template, you might not fully utilize or be able to configure the specific CNG advantages (like choosing a particular KSP or ECC curve) that were the reason for using a V3 template in the first place.
• Compatibility Issues: The resulting certificate might have compatibility issues with applications or services that expect certificates generated with specific CNG properties.
• Future Updates: Future Windows updates or CA versions might break this workaround or introduce new issues.
• Security Implications: Misconfiguring certificate templates can have significant security implications. Ensure you understand the template settings thoroughly.

In summary, while the ADSI Edit workaround can make the template visible, it does not magically endow the web enrollment interface with full Version 3/CNG capabilities. It merely bypasses the visibility filter. The recommended and supported approach remains using alternative enrollment methods designed to handle the complexities of Version 3 templates.

Alternative Enrollment Methods Explained Further¶

Given that the workaround is risky, let’s look more closely at the recommended alternative methods, which are robust and fully supported for Version 3 templates.

Using the Certificates MMC Snap-in (certmgr.msc)¶

This is often the easiest method for individual user or computer requests.
1. Open Run, type certmgr.msc (for the current user) or certlm.msc (for the local computer). To manage another computer’s certificates, add the Certificates snap-in to an empty MMC console and specify the target computer.
2. Navigate to Certificates - Current User (or Local Computer) -> Personal -> Certificates.
3. Right-click on the Certificates node or the Personal node.
4. Select All Tasks -> Request New Certificate....
5. The Certificate Enrollment wizard starts. Click Next.
6. Select the Active Directory Enrollment Policy (or other configured policy). Click Next.
7. Check the box next to the desired Version 3 template. You might see a warning if the template requires more information.
8. Click the “Details” dropdown and then the “Properties” button.
9. This is where you configure template-specific options, including CNG-related settings like Key Storage Provider if the template allows user choice. You can also provide subject information, friendly name, etc.
10. Configure the required settings and click OK.
11. Click Enroll. The certificate request will be submitted and processed by the CA.

This method provides a user-friendly graphical interface that fully supports the properties and options of Version 3 templates.

Using certreq.exe¶

This is a powerful command-line tool for advanced users and scripting.
1. Create a Policy File: You typically start with a policy file (a text file, often with a .inf extension) that specifies the template name and other request parameters. For a Version 3 template, this file can include CNG-specific settings.

[NewRequest]
Subject = "CN=your.hostname.com"
Exportable = TRUE ; Or FALSE
KeyLength = 2048 ; Or 4096, etc.
KeySpec = 1 ; AT_KEYEXCHANGE (used for RSA)
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
; Specify the template name (friendly name or object ID)
RequestAttributes = CertificateTemplate: WebServerV3Template
; Optional: Specify KSP for CNG (e.g., "Microsoft Software Key Storage Provider")
; UseLegacyCSP = FALSE
; KeyContainer = "MyKeyContainerName"
; ProviderName = "Microsoft Software Key Storage Provider"
; ProviderType = 0 ; Not used for CNG
; Silent = FALSE ; Show UI for key generation
; MachineKeySet = TRUE ; Store key in machine store

2. Generate the Request: Open a command prompt and use certreq -new policyfile.inf request.req to create a request file.
3. Submit the Request: Use certreq -submit request.req to send the request to the CA. You might be prompted to select the CA.
4. Accept the Issued Certificate: If the request is approved and issued, you can accept it using certreq -accept certificate.cer where certificate.cer is the file containing the issued certificate obtained from the CA (e.g., via the web enrollment interface’s “View the status of a pending certificate request” section, if the request was submitted via certreq but retrieved via web).

Certreq.exe offers granular control and is essential for scenarios requiring automation or specific request configurations that might not be available through graphical interfaces. It fully understands and processes Version 3 template parameters.

Automatic Enrollment via Group Policy¶

For deploying certificates across an organization, autoenrollment is the most efficient method.
1. Configure a Group Policy Object (GPO) linked to the OUs containing the users or computers that need the certificate.
2. Edit the GPO and navigate to Computer Configuration (or User Configuration) -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client - Auto-Enrollment.
3. Enable the autoenrollment policy.
4. Configure the renewal, pending certificate, and update options as needed.
5. Ensure the Version 3 template is configured for autoenrollment permissions (the relevant security group needs “Autoenroll” permission on the template properties in Active Directory).
6. When the GPO is applied and the user/computer meets the template’s requirements, the certificate will be automatically requested and installed in the personal store.

This method is passive for the user/computer and handles the entire lifecycle (initial enrollment, renewal) without manual intervention, fully supporting Version 3 templates.

Summary of Enrollment Methods¶

Method	Suitable For	V3 Support	Ease of Use	Automation/Scripting	Notes
Certificate Services Web Enrollment (certsrv)	Simple manual requests	No	Easy	Limited	Does NOT show V3 templates.
Certificates MMC (certmgr.msc/certlm.msc)	Manual user/computer requests	Yes	Moderate	Limited	Good for troubleshooting single clients.
certreq.exe	Scripting, advanced requests	Yes	Difficult	High	Very flexible, powerful.
Auto-Enrollment (Group Policy)	Mass deployment	Yes	Easy (Admin)	High	Recommended for enterprise deployment.

Further Troubleshooting Steps¶

If you are still having trouble enrolling a certificate from a Version 3 template using the supported methods (MMC, certreq), consider the following:

1. Permissions: Verify that the user or computer account requesting the certificate has “Read” and “Enroll” permissions on the certificate template object in Active Directory. For autoenrollment, they also need “Autoenroll” permission.
2. Template Issuance: Ensure the template is actually configured on the Certificate Authority to be issued. Check the CA console -> Certificate Templates -> right-click -> Manage. Find the template, check its properties. Then go back to the CA console -> Certificate Templates -> right-click -> New -> Certificate Template to Issue and make sure the template is selected and added there.
3. Active Directory Replication: Ensure that recent changes to template permissions or issuance settings have replicated throughout the domain, especially to the CA server.
4. Template Validity: Check the validity period and renewal settings on the template. Ensure the template is not expired or misconfigured in a way that prevents issuance.
5. CA Availability and Health: Ensure the CA server is online, the AD CS service is running, and it can communicate with Active Directory. Check the CA’s event logs for any errors.
6. Network Connectivity: Verify network connectivity between the requesting client (or server) and the CA server, as well as connectivity to Active Directory Domain Controllers for template information and permissions.

Conclusion¶

The absence of Version 3 (CNG) templates in the Windows Certificate Services web enrollment interface is a deliberate design choice due to technical incompatibilities. While a risky workaround exists by modifying the template schema version in ADSI Edit, it is not recommended for production environments without extensive testing due to potential issues with certificate functionality and support. The proper and supported approach is to leverage alternative enrollment methods such as the Certificates MMC snap-in, the certreq.exe command-line tool, or automatic enrollment via Group Policy, all of which fully support the advanced features of Version 3 templates. Understanding these methods is key to successfully deploying certificates based on CNG templates in your environment.

What are your experiences with Version 3 templates and enrollment methods? Have you encountered scenarios where the web enrollment limitation caused significant issues? Share your thoughts and questions in the comments below!