Microsoft KB Archive/926168

= A certificate may not be enrolled, and you do not receive an error message in Windows Vista =

Article ID: 926168

Article Last Modified on 3/15/2007

-

APPLIES TO


 * Windows Vista Enterprise 64-bit edition
 * Windows Vista Business
 * Windows Vista Enterprise
 * Windows Vista Home Basic
 * Windows Vista Home Premium
 * Windows Vista Starter
 * Windows Vista Ultimate

-



SYMPTOMS
When you try to enroll for an IPsec certificate or for a computer certificate in Windows Vista, the certificate may not be enrolled. You do not receive an error message, and an event is not logged.



CAUSE
This behavior may occur if the following two conditions are true:
 * A template is available for enrollment. For example, the default IPsec template is available for enrollment. Or, a copy of the template as a v2 template is available for enrollment.
 * Another template supersedes the available template but is unavailable for enrollment.

When a computer that is running Windows Vista tries to enroll for a certificate, the computer looks for the required template. If a template is found, the computer determines whether a v2 template supersedes this template. The computer uses the new template for enrollment.

However, if the new template has not been enabled for enrollment, a Windows Vista-based computer cannot use the new template to obtain the certificate. Additionally, the computer does not fall back to the old template even though the old template is still available. This behavior occurs during autoenrollment and during the use of the Automatic Certificate Request Service (ACRS). This behavior differs from the behavior of Microsoft Windows XP.



MORE INFORMATION
To check for new templates that have superseded old templates, use the Certutil utility. To do this, follow these steps:  Type the following command at a command prompt, and then press ENTER to enable debug logging for enrollment:

certutil -setreg enroll\debug 0xffffffe3

 Try to enroll for a certificate. Information about the enrollment attempt is recorded in the Certenroll.log file. This file is located in the folder where Windows is installed. View the Certenroll.log file. Then, note the template names that are in the file. At a command prompt, type the following command, and then press ENTER:

Certutil -v -template.

The output provides information about the template and verifies that the template exists. At a command prompt, type the following command, and then press ENTER:

Certutil -dstemplate.

The output provides information about the template and verifies that the template exists. Repeat steps 4 and 5 for each template name that you noted in step 3. At a command prompt, type the following command, and then press ENTER:

Certutil -dstemplate | findstr /i &quot;msPKI-Supersede-Templates&quot;

The output provides information about superseded templates. The output also verifies that the template that you tried to use for enrollment is superseded. Note the name of the superseded templates.</li> Search the template pools in all the certification authorities (CAs) in the CA hierarchy for the superseded templates that you noted in step 7. Then, identify all additional superseded templates. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Start, click Run, type Certtmpl.msc, and then click OK.</li> In the Template Display Name list, locate a superseded template that was noted in step 7.</li> Right-click the superseded template, and then click Properties.</li> Click the Superseded Templates tab, and note the templates in the Certificate templates list.</li></ol> </li></ol>

Keywords: kbexpertiseinter kbtshoot kbprb kbinfo KB926168

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.