Certificate Services in Server 2008 has had a lot of changes and enhancements. Some are obvious and documented well, and others are not obvious and not so well documented.
Case in point is an additional aspect of Server 2008 certificate web enrollment. Some of you may recall some discussion regarding the big differences between certificate enrollment APIs in Server 2003 (xenroll) and Server 2008 (certenroll). This was particularly relevant for people who had Windows Vista clients and were trying to use web enrollment from the certificate authority. Without adding the Server 2008 certificate enrollment pages to the web enrollment server the Vista client could not request certificates from that web page. More info on that scenario was here .
Certificates can be used for a wide variety of purposes. Verifying the identity of the person who sent an email, encrypting data one time or for encrypting all communication in a session between a client and server, to name a few.
As a little background, in order to use a certificate for whatever your intended purpose is the client must first request that certificate. Certificate requests will have some information that must be filled in for the certificates intended purpose. In order to allow for various purposes easily, and to allow the certificate requests to take place just as easily, templates for the different type of certificates are used to base the request from. There are templates for client authentication, server authentication, Basic EFS, domain controller and others. Many organizations customize some templates for their own needs, while others may simply use the predefined Version 3 Templates included in Server 2008 in order to take advantage of the new Suite B encryption methods which Vista and Server 2008 allow for.
But in order for the user or computer to take advantage of these new features they must first have access to the templates to base their certificate request from and they must be able to form the request. Certificate requests can be done via custom written enrollment code, the certificates snapin MMC, by exporting a request as a file, through autoenrollment or via the additional certificate web enrollment feature.
The reason for this blog post is that one of our customers called after noticing some unexpected behavior when they were trying to use the Server 2008 certificate web enrollment page to request a Version 3 Template based certificate. The problem was that no matter what they did the Version 3 Templates would not appear as certificates which could be requested via the web page. On the other hand, version 1 and 2 templates did appear in the page and requests could be done successfully using those templates. To add to the confusion, the same user could request Version 3 Template based certificates without problem using other methods like the certificates snapin MMC-the certificate could be requested and enrolled in just fine.
What this company found was something that we have not documented until now: version 3 templates cannot be requested via web enrollment using the “out of box” certificate web enrollment pages. All other methods for enrolling in a Version 3 template based certificate will work fine.
Here’s a screenshot of the where you would otherwise expect to see your Version 3 template appear in the Web Enrollment page (below). I've placed a red circle around where the Version 3 templates are not expected to appear (please ignore the certificate error for the purposes of this blog post).
More information on certificate templates in Server 2008 is available in the article <a href="http://blogs.technet.com/controlpanel/blogs/posteditor.aspx/ here ">here, but I’m pasting a little info from that article on why someone might be looking at using Version 3 templates to begin with…
Version 3 certificate templates are new in Windows Server 2008. Version 3 certificate templates function similarly to version 2 templates, and they support new Active Directory Certificate Services (AD CS) features available in Windows Server 2008. These features include Cryptography Next Generation (CNG), which introduces support for Suite B cryptographic algorithms such as elliptic curve cryptography (ECC).
Hopefully this little tidbit of information will keep some administrators out there from extremes of frustration caused by trying to get a version 3 template (CNG) certificate requested via their out of box web enrollment pages in Server 2008. For those folks out there who have already seen this behavior, I apologize for our not having this documented for you before now. The good news is that the web enrollment limitation will not prevent you from using the new CNG certificates given the more robust and extensive enrollment methods which can be used instead (certenroll, autoenroll, snapin et cetera).