So I’ve run into this problem multiple times and ‘hacked’ my way around it various ways, but there is a better way that doesn’t require the use of certutil.exe or any other console utilities. This scenario applies under the following conditions:
- CA (Certificate Authority) Server is running on Windows Server 2008 R2
- Web Server is running on Windows Server 2008 R2
- Both servers are members of the same domain
- You want to use the Certificates snap-in
- You want to stay away from the console if you can
By default, you cannot generate a web server certificate request directly from your servers and you are presented with this screen based on the default Active Directory Enrollment Policy:
As you can see from the screenshot, most of the certificate templates are unavailable with the exception of the computer certificate template.
Log on to your CA server and open up the CA snap-in by opening up the Server Manager and navigating to Roles > Active Directory Certificate Services > [certificate server name] > Certificate Templates.
Don’t skip this step since it’s really easy to get your views confused. On the right side, select More Actions under the Certificate Templates menu and select Manage. This opens the Certificate Templates Console, which will allow you to actually make changes to certificates instead of just viewing their properties. NOTE: on many of the default templates, you’ll see most options grayed out so they can’t be changed. Using this view you can make copies of the templates, which will give you access to most of the options available, by right-clicking a template and choosing: Duplicate.
In the Certificate Templates Console, select the certificate template that you want to be able to create requests from and choose Properties. In the screen shot, I’m using the Web Server certificate.
Go to the Security tab. Choose Add, to add an account to the Group or user names box.
Add Computers to the Object Types in the Select Users, Computers, Service Accounts, Groups dialog box and enter the Computer name (or AD group containing the computers, ie. Web Servers) and select Check Names. It is very important that you select a computer or group of computer accounts to do this as the requests are going to come from computers, not the user logged into the computer.
After returning to the Properties dialog, highlight the new account and select Enroll and Read in the permissions panel. Click OK. You are done with editing here so you can close out of any dialogs and the server if you no longer need it for something else.
Open a session to the server that you want to make the request from and open the Certificates snap-in by going to Start > Run > mmc. In the MMC (Microsoft Management Console), go to File > Add/Remove Snap-In. In the Add/Remove Snap-Ins dialog, select Certificates and press Add which will open a new dialog box. Select Computer Account and click Next. Then select Local Computer and click Finish. Press OK to close the Add/Remove Snap-In dialog.
Choose Certificates > Personal > Certificates as shown in the screen shot below. Right Click on the nested Certificates and choose All Tasks > Request New Certificate.
In the Certificate Enrollment window, click Next, and Next again at the Select Certificate Enrollment Policy window, leaving the default policy (Active Directory Enrollment Policy) highlighted. You will now see the Template available for use, directly from this snap-in. All done with no console or certutil.exe.
Make sure you provide the additional information for your cert if necessary by clicking on the link. For Web Server certs, I typically add: CN (common name) = yourdomain.com, O (organization), OU (organizational unit), Locality (city), State, Country.
I hope this helps someone out. My main problem was I kept adding my user to the permissions while trying to request a certificate with the computer account.