Here is an issue I had a bit of trouble finding an answer to.
The end goal is to automatically issue certificates from an Enterprise AD Certificate Services host to requests made in domain member IIS computers. Assuming ADCS is configured correctly, the certificate authority is listed as a trusted root, and requests are received as expected, here is the fix:
requests are made from IIS:
but developers received a message that certs could not be issued:
This is by design in ADCS. By default, certificate request status is set to pending and administrators must manually issue, save, and complete cert requests in IIS.
The change necessary is on the ADCS administration console. Right click the root of the local certificate server> select properties> click the “Policy Module” tab
change the radio button to “Follow settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.”
If templates have remained unchanged, certs can now be automatically completed in IIS.
All requests will use the “Web Server” template. At the time of this article, Microsoft does now allow the default template to be changed. If you need to use different settings, the cert request will need to be requested and completed manually.
Windows Server 2008 R2, Windows Server 2008