Windows 2003 Enterprise Certificate Templates?

[ADB100]

I have a Windows 2003 Domain (functional level is Windows 2003). In this domain I have an Enterprise Certificate Authority Server running 2003 Enterprise Edition. According to Microsoft what should have happened when I installed this Server the pre-installed Certificate Templates should have been upgraded from Version 1 certificates to Version 2 ones (this wasn't an upgrade it was a clean install of Windows 2003 Server Enterprise and there have never been any other CA's installed, the server is a Member Server):

http://technet2.microsoft.com/Windo...374b-40a9-af3c-569f0d1fe1c91033.mspx?mfr=true

Specifically in the notes it says:

To verify that the upgrade is successful, open the Certificate Templates MMC console and confirm that there are 29 certificate templates. The Version # of templates should all exist and be in the format of xxx.xxx, for example, 100.2. Version 1 certificate templates use a single digit for the primary version number, for example, the Administrator certificate template version number is 3.1. Version 2 certificate template primary version numbers are three digits in length. For example, the Key Recovery Certificate Template version number is 105.0.

I don't think this has happened as the majority of certificates are still Version 1. I have searched on MS and the web and can't find any other information as to what to do next.

Any ideas or have I missed something?

Andy

 

[NetIntruder]

You should actually see both version 1 and version 2 templates in there. The version 2 templates offer more flexibility, but the version 1 are still viable templates for basic needs. Is there anything in particular that you are having issues with or more curious why V1 templates are there?

~Intruder~
CEH, CISSP, MCSA/MCSE 2000/2003

 

[ADB100]

You should actually see both version 1 and version 2 templates in there. The version 2 templates offer more flexibility, but the version 1 are still viable templates for basic needs. Is there anything in particular that you are having issues with or more curious why V1 templates are there?

I have been setting up some IPSec VPN's with Cisco Routers and PIX Firewalls using Certificates. Everything is set up and I am using the SCEP add-in to allow the Cisco devices to enroll directly with the CA. This is all working OK. The SCEP add-in requests the 'IPSec (Offline request)' certificate and this cannot be changed (either to a different certificate template or the original template to be edited).

The problem is the certificate that gets given to the Cisco devices is the Version 1 certificate - IPSec (Offline request). This is fine for IPSec VPN connections but the certificate is also used when accessing the devices via a Secure Browser (SSL). Because the Enhanced Key Usage field only contains 'IP security IKE intermediate' the certificate is rejected by the browser so rendering any configuration or monitoring via a browser impossible.

The text on Microsofts website suggests all the Version 1 certificates get upgraded to Version 2 ones (so editable etc) when a Windows Server 2003 Enterprise Edition CA is installed or upgraded. I do have both Version 1 and Version 2 certificate templates installed but I was expecting them all to have been upgraded to Version 2 templates.

Andy

 

[ADB100]

Just to add to this I have managed to 'fix' the problem by deleting the Certificate Template from the AD Sites & Services snap-in and then duplicating the IPSec template and re-adding the IPSec (Offline request) template with the desired options. This obviously makes it a Version 2 template that can be edited.

My assumtion is however that ALL the Certificate Templates would be upgraded automatically to Version 2 templates by the Windows 2003 Enterprise CA install?

Andy