Jump to content


JCA

PKI SCCM Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines

Recommended Posts

Hello everyone,

 

I’m having issues with workgroup computers, not domain systems when I request a certificate. The domain computers are receiving their certificates via GPO.

 

It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. On a 2003 server, I can request a certificate manually with certutil and "see" the certificate template. I copy over the exact command on windows 7 and it can’t "see" the certificate template. The Error --- Template not found.

 

 

I have the following configuration:

  1. CA Enterprise
    1. I have created the SCCM Client Certificate
    2. I have created the SCCM Web Server Certificate
    3. I have created the SCCM Distribution Point Certificate
  2. GPO is configured
  3. SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
    1. Installed SCCM Client Certificate
    2. Installed SCCM Web Server Certificate
    3. Installed Distribution Point Certificate
  4. Deployed to a domain computer good on PKI

Workgroup Computers:

I’m having issues with deploying certificates

  1. Windows 7 – (ERROR) not successful
  2. Windows Server 2008 R2 – (ERROR) not successful
  3. Windows Server 2003 - successful
  4. Windows XP – successful

How I’m getting the certs for the clients is by utilizing the following scripts from this URL.

http://www.ithierarchy.com/ITH/node/48

 

I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:

 

Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req

Error --- Template not found.

SCCMClientCertificate (this is my template)

Share this post


Link to post
Share on other sites

Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.

 

Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS Support working with me to resolve this issue since it was written by MSFT.

 

http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx

 

and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.

 

http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...