Breadcrumbs

Configuring the Certificate Enrollment to Use CA Templates on the AD CS Server

This section describes how to create certificate templates when the private key is managed using an HSM. All subscribers who enroll for a certificate based on such a template must have a client connection to the HSM.

If a CA installed on Windows Server Core is managed remotely, the snap-ins in this section must run on a separate machine with GUI capabilities.

To integrate the CA certificate enrollment functionality with a CA private key generated by the Utimaco HSM:

  1. Create a CA template that uses the Utimaco HSM.

  2. Open the command prompt and run the certtmpl.msc command.

image-20250804-141645.png


"Certificate Template Console" Window

  1. Right-click the Administrator template, then select Duplicate Template. The Properties window opens, showing the Compatibility tab.

image-20250804-141926.png


"Compatibility Tab" Window

  1. Select the appropriate windows version under Certificate Authority and Certificate Recipient drop-down box.

image-20250804-141953.png


"Compatibility Tab" Window

  1. Select the General tab. In the Template display name, type a name for the template.

image-20250804-142109.png


"General Tab" Window

  1. Select the Request Handling tab, and in Purpose select Signature and deselect Allow private key to be exported.

image-20250804-142151.png


"Request Handling Tab" Window

If you are using smartcard authentication, the prompt will appear on the PIN Pad device to insert the smartcard and enter the PIN. Then, press the OK button on the PIN Pad.

  1. Select the Cryptography tab and in the Provider category, select Key storage provider.

  2. In Algorithm Name, select the algorithm from the list.

  3. Click on the radio button for Requests must use one of the following providers, and in Providers, select Utimaco CryptoServer Key Storage Provider only.

If the CA is on Windows Server Core and you are managing it remotely using certtmpl.msc on a different PC, you need to install the Utimaco CryptoServer Key Storage Provider on the PC that is running certtmpl.msc. Otherwise, the Utimaco CryptoServer provider will not appear.

  1. In Request Hash, select a hash type.

image-20250804-142238.png


"Cryptography Tab" Window

  1. Select Subject Name tab and deselect Include e-mail name in subject name and deselect E-mail name.

image-20250804-142319.png


"Subject Name Tab" Window

  1. Select Apply and OK to save the template settings and close the Certificate Template console.

  2. Open the command prompt and run the certsrv.msc command.

Windows Server Core: If a CA is configured on Windows Server Core and is managed via the Microsoft Management Console (MMC) from a different machine, you might get an error that states: Cannot manage Active Directory Certificate Services. To fix this, select OK, then in the certsrv.msc~ console that appears, select Action and click on Retarget Certification Authority. In the window that appears, select Another Computer, then select Browse to find the CA you want to manage.

Windows Server Core: Sometimes an error appears indicating that the RPC server is unavailable. To fix this, sign in to the Windows Server Core machine and minimize the command prompt. A window prompts you to load a key. Complete the steps in the window and attempt to select the CA again from certsrv.msc.

  1. In the left-hand pane, select the Certificate Authority name.

  2. Right-click the Certificate Template node, then select New, then select Certificate Template to Issue.

image-20250804-142414.png


"Certificate Templates Tab" Window

  1. Select the template you just created, then click OK.

image-20250804-142445.png


"Enable Certificate Templates" Window

  1. Request a certificate based on the template:

    1. Open the command prompt and run the certmgr.msc command.

    2. In the left-hand pane, right-click the Personal node, then select All Tasks, then Request New Certificate.

image-20250804-142547.png


"Certificate Manager" Window

  1. Select Next in the first two windows.

If you are using smartcard authentication, the prompt will appear on the PIN Pad device to insert the smartcard and enter the PIN. Then, press the OK button on the PIN Pad.

  1. Select the template that you created, then click Enroll.

19c82e96-aed2-4ec7-8f76-cb3c170ae3e0.jpg


"Certificate Enrollment" Window

  1. The Certificate Installation Results window should show STATUS: Succeeded. Select Finish.

  2. Verify that the certificate is enrolled successfully. If the certificate fails to enroll because the CA is not started or the RPC ports are blocked, the following error is displayed:

Error: the RPC server is unavailable. 0x800706ba (win32: 1722 RPC_S_SERVER_UNAVAILABLE

The enrollment wizard shows if the certificate enrollment was successful or failed.

Use Details to check the main information.