Certification Authority not showing up in IIS Server Certificates Dialog

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Greetings everyone.


In today's post, I am going to cover the following scenario and how to address it:

"I want to renew a certificate using the Renew Certificate in IIS and I can't see the Online Certification Authority where the certificate template to issue the certificate is present!"


The answer? Simple. Make sure that the Online Certificate Authority that you want to use also has issued the out of the box Web Server certificate template.


Walk with me while I explain why this is. Let's start from the beginning: When you wish to renew a certificate in IIS, you open the IIS Manager (quick note: this also works the same way in the IIS MMC snap-in).


After opening IIS Manager, you click on the server element in the tree to your left, and in the center pane, you double-click to open the Server Certificates module.


Once you are in the Server Certificates module, you get a list of certificates that are installed on the machine. You then pick a certificate, and in the Actions pane to the right, you pick the "Renew" action.


You go through the steps in the wizard until you are ready to choose the Online Certification Authority to which you will submit the renewal request. You then click the Select button and you find that you can only see one Online Certification Authority (and it is not the one you were hoping for).


This is because IIS looks specifically for the Online Certificate Authorities that have the standard out of the box Web Server Certificate template.


And how does it do that? It does so by calling a function available in a little DLL called certcli.dll (This is the Active Directory Certificate Services Client library, available on the C:\Windows\System32 folder).


Amongst the several functions this DLL provides, one of them is the CAFindByCertType function, which will give us all of the Certification Authorities by the type that we provide them. In this particular case, the type will be "WebServer".


Now, you are possibly wondering: Where is this information stored? Well, wonder no more.

This information around the templates that are issued by the Certification Authorities is actually stored in the corresponding Active Directory object for the Certification Authority in the Enrollment Services container.


You can access this object in two ways:

Either you use the ADSI Edit tool (which is available under the Windows Administrative Tools), or the ldifde command line.

Here is an example of how you can get the information around the Certification Authority objects under the Enrollment Services container for a ficticious example.com domain
ldifde -d "CN=Enrollment Services,CN=Public Key Services,CN=Services,DC=example,DC=com" > AD-Enrollment-Container.log
Alternatively, here is how it looks when you use ADSI Edit:
Now, like any other Active Directory object, this will have attributes that we want to look into. The attribute we will be looking for is a multi-string attribute called certificateTemplates.
This will hold a list of all of the certificate templates that were issued by that Certification Authority.
In this list is where you (and ultimately, IIS) will see the WebServer (note that it really will be WebServer, and not "Web Server", or "webserver") certificate template, if it was issued. If the template was not issued, then this Online Certification Authority will not be shown in the list present in the Online Certification Authority dialog in IIS.
And that is it! Hope you've had fun reading it as I had fun writing about what I learned on this topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.