Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

How to re-install the default certificate templates?

How to re-install the default certificate templates?

  • Comments 2
  • Likes
 

When you launch the certificate templates MMC snap-in (certtmpl.msc) for the first time, the certificate templates are installed automatically in the background. Installing the templates is independent of the availability of an enterprise CA. Enterprise Administrator permissions are required to successfully install the templates.

That's nice and convenient but what happens if you accidentally deleted the template objects from Active Directory? The templates can be viewed and also deleted (with appropriate permissions) through the Active Directory Sites and Services MMC snap-in (dssites.msc) or any other LDAP client can be used.

 

 

 

So, what to do if the templates or the OID container have disappeared? With a single command-line, you can get them back. As prerequisite to install the certificate templates you must have create child access to the template container in Active Directory which is the default setting for an enterprise administrator.

 

If you are running Windows Server 2003, use the following command with enterprise administrator permissions:

 

regsvr32 /i:i /n certcli.dll

 

If you have Windows Vista or Windows Server 2008 already in place, certutil.exe understands a new verb to re-install the templates. Certutil is included in all Windows Vista SKUs by default.

 

certutil -installdefaulttemplates

 

After performing one of the above commands you must restart the CA service.

 

The following two knowledgebase articles describe scenarios where re-installation of certificate templates can make sense:

 

Comments
  • Certificates make it easy for the small business employer to produce a professional-looking award to present to a deserving employee.

  • certutil -installdefaulttemplates does not require restart of the certsvc service since it simply does a population of objects into the Certificate Templates container.

    Furthermore, It does not have to be executed on the CA itself since it is just creating objects within Active Directory, the CA itself is not affected by this in any way.

    A CA doesn’t need to restart the certsvc service when new templates are created in Active Directory... ;)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment