Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
My colleague Jan had the following case recently:Customer verbatim:
We've created a custom web server certificate template that we want to use to enroll certificates from for our web servers. We've also removed the original Web Server template from the list of templates our CA is allowed to issue.However, when we now go to the IIS 7/7.5 MMC root, click Server Certificates and choose Create Domain Certificate and go through the Certificate Wizard we are not seeing any CA and the Select button is greyed out.
After investigating this closer we determined the following:
The Certificate Helper code in the IIS 7.x MMC is hard-coded to look for a certificate template with the name WebServer. This means that if no CA in your environment is allowed to issue a certificate template with that name it will not find any CA to enroll for.Running certutil –templateCAs WebServer should list out which CA’s are allowed to issue the WebServer template.
The workaround is to enroll for a server certificate using the Certificates MMC snap-in, this is also preferable from a security perspective as the Create Domain Certificate request option doesn't allow you to choose the key size of the certificate (it's hardcoded to 512 or 1024) while you can specify the key size within the custom request in the Certificates MMC.