The Certificate Template Manager Hangs Indefinitely

The Certificate Template Manager Hangs Indefinitely

  • Comments 1
  • Likes

Hey ladies and gents, Sean here again. Recently I ran into an issue with Windows Server 2003 that caused the Certificate Template Manager to hang. I’ll discuss the problem and provide solutions so you don’t get stuck wondering what’s going on if this happens to you.

First, let’s talk about the symptoms. If you try to open the Certificate Template Manager (certtmpl.msc) in the affected forest, it will not open…on any computer in that forest. If you look at task manager after attempting to open certtmpl.msc you will see mmc.exe consuming 100% of the CPU (50% if you’ve got 2, 25% if you have 4, etc.) regardless of how long you let it run. The only way to stop it is to end the process.

So, what’s going on when this happens? Most likely you have over 1000 Object Identifiers (OIDs) in the container CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=your,DC=domain.

When you open the Certificate Template Manager, it uses LDAP to enumerate all of the objects in this container. If there are over a 1000 OIDs then the default MaxPageSize is exceeded and the Certificate Template Manager will hang. The reason this happens is because a paged LDAP query is not used when looking up the OIDs in the OID container.

So, how do you end up with over a 1000 OIDs in the OID container? That’s a great question. To help answer that question I’ve listed a number of facts concerning the creation and deletion of certain objects.

1. Every template, issuance policy, or application policy (Enhanced Key Usage) that you create will create an OID in the OID container.

2. If you delete a template that you created, the corresponding OID will NOT be deleted from the OID container.

3. There is no way to delete issuance or application policies using the Certificate Template Manager. In order to remove either object you must delete the OID associated with it (determining which OID is associated with which policy is discussed later). Once the OID is deleted the Certificate Template Manager must be closed and reopened before the policy will no longer appear.

4. As soon as you right click on a template and select Duplicate Template in the Certificate Template Manager an OID is created in the OID container. If you decide you do not need to duplicate the template and hit Cancel instead of OK then the OID will remain but the DisplayName attribute on the OID will not be set (this is important when identifying which OIDs and templates are associated with each other).

Now that we know how OIDs are handled in certain situations, it isn’t hard to imagine what might cause you to have over 1000 OIDs in your OIDs container. It is possible that you just have that many objects, but it’s more likely that OIDs have not been cleaned up after templates have been deleted. It’s also possible that someone accidently duplicates the wrong template and hits cancel so it isn’t created.

Now that we know what’s causing the issue, how do you go about fixing it? There are two ways you can alleviate the issue. If you know you have a lot of certificate templates, issuance policies, or application policies that are no longer needed, or if you’ve recently added a lot of templates after deleting unnecessary ones from the Certificate Template manager, clean up the OIDs associated with the deleted or unnecessary objects. DO NOT RANDOMLY DELETE THEM! Find out which OIDs correspond to which objects and make sure you do not need it before deleting it.

To help determine which OIDS and objects are associated with each other, take a look at the output of this dsquery command:

dsquery * “CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=domainname” –scope subtree –filter “(flags=1)” –attr cn msPKI-Cert-Template-OID displayname >dsqueryfortemplates.txt

This command can be used to output the OID, the CN, and the DisplayName attribute of all of the templates in the OID container. Because we’re specifically filtering for objects with the flags attribute equal to 1 only OIDs pertaining to certificate templates will be returned. The output will look similar to Table 1.

Table 1

CN

msPKI-Cert-Template-OID

Displayname*

CN=6580384.
104FAE32114BC7E4BC49913C7AC34921

1.3.6.1.4.1.311.21.8.6650940.8038262.
8601989.12750652.7494247.201.7982734.6580384

Test User

Now that we have this output, we know that OID 1.3.6.1.4.1.311.21.8.6650940.8038262.8601989.12750652.7494247.201.7982734.6580384 belongs to the Test User template. Also, notice that the OID ends with the same number that the CN starts with (6580384). If you decide this is a template that is no longer needed then the CN can be deleted in ADSIEdit for example.

*Remember, if there is no DisplayName attribute it’s likely the scenario described in number 4 from above has occurred.

Additionally, to help identify Issuance policies and Application policies, we can search for OIDs that have the flags attribute equal to 2 or 3 respectively.

dsquery *  “CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=domainname” –scope subtree –filter “(flags=2)” –attr cn msPKI-Cert-Template-OID displayname

This command will output the same information as the previous command (but for issuance policies, not templates) so you can make a decision as to whether or not the issuance policy OIDs should be deleted.

For your convenience I’ve included a table that lists the end of the OIDs that exist by default on a newly installed Windows Server 2003 Enterprise CA. The first 7 are templates and the last 3 are issuance policies. There are no application policy OIDs in the OID container by default.

Table 2

CN Starts With…

msPKI-Cert-Template-OID Ends with…

DisplayName is…

25.

1.25

Cross Certification Authority

26.

1.26

CA Exchange

27.

1.27

Key Recovery Agent

28.

1.28

Domain Controller Authentication

29.

1.29

Directory Email Replication

30.

1.30

Workstation Authentication

31.

1.31

RAS and IAS Server

400.

1.400

Low Assurance

401.

1.401

Medium Assurance

402.

1.402

High Assurance

Once you’ve gotten the number of OIDs in the OID container below 1000, you will be able to open the Certificate Template Manager. Realize some cleanup will need to be done for the OIDs that were deleted. For example, if an OID for an Issuance policy called Test Issuance Policy was deleted in Active Directory and that issuance policy was applied on a template called Test EFS Recovery Agent, then when you look at the properties on Test EFS Recovery Agent you will see an OID in place of the display name for the issuance policy. Notice Figure 2 shows the Test Issuance Policy is applied. Once you delete the OID from Active Directory the display name will no longer show up in the GUI. Instead you’ll just see the original OID. This can be safely deleted if you’ve deleted the OID in Active Directory.

image image

If you decide that all of the OIDs are needed in your environment then there is another, less desirable option. In order to get the Certificate Template Manager to open you will need to increase the MaxPageSize value to something LARGER than the number of OIDs you have in the OIDs container. Please realize that this will affect all of the DCs in your environment. If this value is increased too high it could cause performance issues. For more information, check out

How to View and set LDAP Policy in Active Directory by using Ntdsutil.exe -
http://support.microsoft.com/kb/315071

Now that you know how OIDs are handled in your Enterprise PKI environment you are better equipped to avoid problems that may arise from having a large number of OIDs in the OID container. Just remember to make SURE that you know what object an OID corresponds to BEFORE deleting it. It’s also a good idea to make sure that the object is no longer needed :-).

- Sean “Lurch” Ivey