Hey everyone! I'm currently migrating my Windows Certificate Authority (CA) and everything has gone pretty smoothly so far, considering it's a single-tier PKI. The old CA was installed on a domain controller, but now I've ensured that there are no remnants of it in Active Directory. However, I'm facing a bit of a hiccup with the new CA; it won't issue certificates using the custom templates that I can see in the Templates console. I can create new templates, but when I try to issue a certificate, only the default templates show up. If I opt to show all templates, I get an error saying that the custom templates aren't supported. It mentions that either a valid CA is not found, that the CA doesn't support this operation, or that it's not trusted. I'm hoping someone has some advice before I resort to completely starting over. Thanks!
2 Answers
Tough situation! If you're moving the CA to a new server, there's a specific registry key you need to handle carefully. You export it from the old server, modify it for the new one, and then import it back. The CA has its own name that's distinct from the server's hostname, which is crucial for this process. I had a similar issue, and following that registry key fix made a huge difference. Here’s a guide that might help: www.petenetlive.com/KB/Article/0001473. Hope it’s not too late for you!
It sounds like you're in a bit of a pickle! One thing to consider is the domain context of your CA. Just to confirm, is your CA in the same domain as your templates? If you've got security settings or permissions on the template that aren't aligned with the CA, that could be causing the issue. If all else fails, reinstalling is definitely an option since you're on a single tier, but maybe check those permissions first! Let me know what you find out.
Yeah, it’s a single domain, single forest. The AD container looks good and matches the other domain I manage.
Yes! That’s one of the guides I used, and I confirmed that I made the registry changes correctly.