Just had an interesting issue with a new 2008 PKI implementation: My certificate templates were not showing up for Web Enrollement.

 

I had just set up a complete PKI using AD CS 2008 and was trying to issue certificates to a Gateway SCOM server in the "Other" Forest and to the Management server in the home forest. And of course, I ran into some interesting issues.

 

For security reasons, none of the default templates were published when the CA was turned up, this was to ensure that someone had to actively approve the publishing of a certificate template and to prevent the auto-enrollment of certificates until the organization was explicitly ready. This unique situation would complicate troubleshooting.

 

So the first template to be published was the newly created SCOM Certificate template. Now there was nothing special about this template. It is simply a Computer template (with the Server and Client Authentication OIDs, just like the default Computer template). Instead of publishing the default Computer template, I duplicated it and extended its life to 2 years, but when I did this it asked me if I wanted to make this a 2003 or a 2008 version. Well, hell yeah, I want 2008. Why else did I go throught the trouble of deploying 2008 CA's -- (ummm, maybe not!!).

 

This answer had the effect of adding advanced features to the version 3 certificate, something that I wasn't fully aware of at that time, which I discovered hours later  can not be web enrolled. 

 

This of course presents a challenge to a SCOM Gateway server in the "Other" forest, because that is the only method that it has of connecting to the issuing CA in the home forest. (Sure, I could have used a third party manual request generation tool, but I was irked that this wasn't working!!!).

 

So after a few hours of verifying permissions and settings, I ran across the fact that V3 certificates cannot be webenrolled and the fact that Authenticated Users in the Root Domain does not translate to computers or users in sub-domains.