11111011
01010010
11011110
10100110
11100000 

/*
______________
Date:
        2007-02-09

______________
Author:
        Anna Wiejak
        anias@popoludnica.pl

______________
Buzzwords:

	active directory, ad, windows, microsoft, certificate templates, certificate authority, ca, enterprise edition, duplicate, minimum supported CAs, version 2 certificate, allow private key to be exported

______________
Description:

	This is a workaround for Microsoft Windows Server which allows modification and use of certificate templates on non - enterprise edition distribution. 

______________
References:

http://technet2.microsoft.com/WindowsServer/en/library/32260bb5-4405-4fda-b589-fe05ac3193201033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/d7a495c3-5e46-4b35-a236-34a4d4ad0f091033.mspx?mfr=true
http://support.citrix.com/article/CTX106034


*/





1) Introduction

Certificate Authority is a component available for all Windows Servers. As no additional license has to be bought to use it - it is widely used and supported.

It's not a surprise, that attempts to do more complicated tasks, going beyond a basic documentation, are a challenge. 

One of the problems I've encountered, was inability to export keys of Web Certificates. A usual way of duplicating a certificate template and changing its properties didn't work - a duplicated certificate template as its a "type 2 certificate template" requires Windows Server Enterprise Edition. 

2) Solution

The fix to the problem of non-exportable Web Certificates on Standard Edition is simmilar to what is described in documentation, but requires one additional step.

- create a duplicate of Web Certificate template
- modify the duplicate to allow exporting keys
- modify the active directory entry of a copy of Web Certificate template. 

I used ldapmodify to do a change. But any other Active Directory editor should suffice. Here is my ldapmodify command:

ldapmodify -x -D 'cn=Administrator,cn=Users,dc=test,dc=local'  -W -H 'ldap://xxx.xxx.xxx.xxx/'  << EOF
> dn: CN=Copy of Web Server,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local
> changetype: modify
> msPKI-Template-Schema-Version: 1
> msPKI-Template-Minor-Revision: 1
> EOF
Enter LDAP Password: 
modifying entry "CN=Copy of Web Server,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"

Remember to set the forest root domain and active directory ip address accordingly to your environment.
q