Enable Certificate Templates on a Certification Authority Server

  • Article

2/9/2009

Generally, you enable certificate templates by running the ADConfig /enabletemplates command. If you want to enable certificate templates on a certification authority manually, follow these steps on the certification authority server.

To enable certificate templates on a certification authority server

  1. On the Start menu, choose All Programs, choose Administrative Tools, and then choose Certification Authority.

  2. In Certification Authority, right-click <CA server name>, and then choose Properties.

  3. In the <CA server name> Properties dialog box, on the Security tab, in the Group or user names box, select SCMDMServerAdmins.

  4. In the Permissions for SCMDMServerAdmins box, in the Allow column, select the Request Certificates box.

  5. In the <CA server name> Properties dialog box, on the Security tab, in the Group or user names box, select SCMDMEnrolledDevices.

  6. In the Permissions for SCMDMEnrolledDevices box, in the Allow column, select the Request Certificates box.

  7. In the <CA server name> Properties dialog box, on the Security tab, in the Group or user names box, select SCMDMEnrollmentServers.

  8. In the Permissions for SCMDMEnrollmentServers box, in the Allow column, select the Issue and Manage Certificates box.

  9. In the <CA server name> Properties dialog box, on the Certificate Managers Restrictions tab, select Restrict certificate managers.

  10. In the Available certificate managers drop-down list, select <domain>\SCMDMEnrollmentServers.

  11. In the Groups, users, or computers to manage box, make sure that the SCMDMEnrolledDevices group has its Access set to Allow. If this group does not appear in the box, choose Add.

    This setting restricts the SCMDMEnrollmentServers group to manage certificates for the SCMDMEnrolledDevices group only.

  12. Choose OK.

  13. In certification authority, expand <CA server name>, and then choose Certificate Templates.

  14. In the details pane, make sure that the following MDM templates are listed:

    • SCMDMGCM (<instance name>)
    • SCMDMWebServer (<instance name>)
    • SCMDMMobileDevice (<instance name>)

  15. Open a command prompt window, and run the following command:

    ADConfig.exe /enabletemplates:<instance> /ca:<ca server>\<ca name>