- A template is available for enrollment. For example, the default IPsec template is available for enrollment. Or, a copy of the template as a v2 template is available for enrollment.
- Another template supersedes the available template but is unavailable for enrollment.
However, if the new template has not been enabled for enrollment, a Windows Vista-based computer cannot use the new template to obtain the certificate. Additionally, the computer does not fall back to the old template even though the old template is still available. This behavior occurs during autoenrollment and during the use of the Automatic Certificate Request Service (ACRS). This behavior differs from the behavior of Microsoft Windows XP.
- Type the following command at a command prompt, and then press ENTER to enable debug logging for enrollment:
certutil -setreg enroll\debug 0xffffffe3
- Try to enroll for a certificate. Information about the enrollment attempt is recorded in the Certenroll.log file. This file is located in the folder where Windows is installed.
- View the Certenroll.log file. Then, note the template names that are in the file.
- At a command prompt, type the following command, and then press ENTER: Certutil -v -template Found_Template_Name.The output provides information about the template and verifies that the template exists.
- At a command prompt, type the following command, and then press ENTER: Certutil -dstemplate Found_Template_Name.The output provides information about the template and verifies that the template exists.
- Repeat steps 4 and 5 for each template name that you noted in step 3.
- At a command prompt, type the following command, and then press ENTER: Certutil -dstemplate | findstr /i "msPKI-Supersede-Templates"The output provides information about superseded templates. The output also verifies that the template that you tried to use for enrollment is superseded. Note the name of the superseded templates.
- Search the template pools in all the certification authorities (CAs) in the CA hierarchy for the superseded templates that you noted in step 7. Then, identify all additional superseded templates. To do this, follow these steps:
- Click Start, click Run, type Certtmpl.msc, and then click OK.
- In the Template Display Name list, locate a superseded template that was noted in step 7.
- Right-click the superseded template, and then click Properties.
- Click the Superseded Templates tab, and note the templates in the Certificate templates list.
Article ID: 926168 - Last Review: Oct 21, 2008 - Revision: 1