I've installed a standalone root CA and a enterprise subordinate CA in our environment - both are Windows 2008 R2. Everything is working except for Web Enrollment using a custom User template. I duplicated the default User template and choose 2003 Compatible for the new one. I changed the minimum key length to 2048 and set the validity period to 2 years.
We'd like to avoid using the Advanced Certificate Request page, so I modified certrqtp.inc to point to the new template:
Else'' Request types for enterprise' rgAvailReqTypes(0,FIELD_TEMPLATE)="User-custom" rgAvailReqTypes(0,FIELD_FRIENDLYNAME)=L_UserTemplateCert_Text rgAvailReqTypes(0,FIELD_CSPLIST)="Microsoft Enhanced Cryptographic Provider v1.0?Microsoft Base Cryptographic Provider v1.0" rgAvailReqTypes(0,FIELD_CSPLIST2)="Microsoft Base Cryptographic Provider v1.0?Microsoft Enhanced Cryptographic Provider v1.0" rgAvailReqTypes(0,FIELD_EXPORTABLE)="True" nAvailReqTypes=1 End If
I also ran into this issue where Web Enrollment jumps straight to the Advanced page if the original User template isn't present on the CA:
http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/9ab514bc-1f9f-424e-b70d-705874d9c623
So I have both User templates loaded on the CA, and I get this error back when attempting a certificate request using IE 8 or 9:
Your certificate request was denied.
Your Request Id is 25. The disposition message is "Denied by Policy Module".
Contact your administrator for further information.
Looking at the CA's Failed Requests section, I see this error:
The public key does not meet the minimum size required by the specified certificate template. 0x80094811 (-2146875375)
I double-checked our custom template and it does specify 2048 as the minimum key size.
Also, when trying with Chrome 11.0, I get an extra option during enrollment asking for a key size (1024 or 2048). When I choose 2048, the certificate request succeeds. I don't get the key size option when using IE, though.
We'd like to get this working with IE if possible. Any ideas?