Unable to publish the certificates templates on the Certification Authority using FAS when CA is managed by Sectigo CA
Article ID: CTX696624
Updated On:
Description
When trying to publish the FAS certificate templates on CAs, there is an error:
This is because the default windows configured certificate agents are not used and instead the Sectigo certificate request agent handles the request.
You will find the Sectigo certificate request agent/plugin to be installed on the FAS server.
Cause
This is by design behavior and can also be verified with the help of the following PowerShell script that simulates the behavior of publishing the FAS templates to CA.
# Your CA's address here$address="youdomain\Your-CA-Name"
# CLSID of the Microsoft COM class CertificateAuthority.Request.1$guid="98AFF3F0-5524-11D0-8812-00A0C903B83C"
# Create a CertificateAuthority.Request.1 object with interface ICertAdmin2$comObject = [Activator]::CreateInstance([type]::GetTypeFromCLSID($guid))
# Get the list of templates; 29 is CR_PROP_TEMPLATE, 4 is PROPTYPE_STRING$comObject.GetCAProperty($address, 29, 0, 4, 0)
If the FAS templates are published, the output would look like this:
Citrix_SmartcardLogon1.3.6.1.4.1.311.21.8.15364189.13363262.6966947.3046217.7536512.134.14235111.8070130Citrix_RegistrationAuthority1.3.6.1.4.1.311.21.8.15364189.13363262.6966947.3046217.7536512.134.5751883.7434557Citrix_RegistrationAuthority_ManualAuthorization1.3.6.1.4.1.311.21.8.15364189.13363262.6966947.3046217.7536512.134.7242031.15108994
Resolution
Contact Sectigo or your internal PKI infrastructure team to review certificate template publishing requirements and also user certificate requirements.
You can manually publish FAS templates in CA.
Issue/Introduction
When trying to publish the FAS certificate templates on CAs, there is an error:
Additional Information
