Microsoft CA – Templates Not Showing up in IIS Web Enrollment

I’ve seen a good number of questions posted about someone’s templates not showing up under the IIS web enrollment page. But, they always seem to miss a critical piece of information when someone has created an Enterprise CA that is Windows 2008 R2.

TYPICALLY the problem is one or a combination of the following three things below:

1) In certificate template Subject tab wasn’t switched to Supply in request.

2) Certificate template was configured for validity greater than one year (this is actually not 100% true by the way)

3) the enrollment permissions on the certificate are incorrect

ALWAYS make SURE you know what functional level of AD you have BEFORE you create a new template. If you are 2003, make sure you create the template as 2003 Enterprise. Do not pass go, do not collect $100, do not create a 2008 Enterprise template when AD is at a 2003 functinoal level IF you want that template showing up under web enrollment.

You can create the template. There is nothing that prevents you from doing so. However, you would have to manually create a certificate request using the following procedure:

Again, if you want that template to show up under web enrollment, your CA is 2008 R2 and your functional level of AD is at 2003, make sure you create that template as 2003 enterprise and follow the other best practices.

Now, the bit about a 1 year limitation causing problems with the template showing up under web enrollment, I haven’t seen that as a valid problem. I’ve gone as high as 10 years in a lab environment and it works just fine.

For the sake of endorsing Microsoft documentation, make sure you read and follow the following information: