active directory, ad, windows, microsoft, certificate templates, certificate authority, ca, enterprise edition, duplicate, minimum supported CAs, version 2 certificate, allow private key to be exported
This is a workaround for Microsoft Windows Server which allows modification and use of certificate templates on non - enterprise edition distribution.
Certificate Authority is a component available for all Windows Servers. As no additional license has to be bought to use it - it is widely used and supported.
It's not a surprise, that attempts to do more complicated tasks, going beyond a basic documentation, are a challenge.
One of the problems I've encountered, was inability to export keys of Web Certificates. A usual way of duplicating a certificate template and changing its properties didn't work - a duplicated certificate template as its a "type 2 certificate template" requires Windows Server Enterprise Edition.
The fix to the problem of non-exportable Web Certificates on Standard Edition is simmilar to what is described in documentation, but requires one additional step.
- create a duplicate of Web Certificate template
- modify the duplicate to allow exporting keys
- modify the active directory entry of a copy of Web Certificate template.
I used ldapmodify to do a change. But any other Active Directory editor should suffice. Here is my ldapmodify command:
ldapmodify -x -D 'cn=Administrator,cn=Users,dc=test,dc=local' -W -H 'ldap://xxx.xxx.xxx.xxx/' << EOF
> dn: CN=Copy of Web Server,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local
> changetype: modify
> msPKI-Template-Schema-Version: 1
> msPKI-Template-Minor-Revision: 1
Enter LDAP Password:
modifying entry "CN=Copy of Web Server,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"
Remember to set the forest root domain and active directory ip address accordingly to your environment.