Fix: The requested certificate template is not supported by this CA Ranjan.info

5 months ago
by Ranjan Chatterjee

Assume that you try to request a certificate from a Windows CA and receive an error stating The requested certificate template is not supported by this CA, In my case, the problem occurred when I tried to request a TLS/SSL certificate to secure an RDP connection using my RDSH host template.

when i certmgr Console, I got the following error:

Request Certificates:
The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

Certificate Enrollment: The requested certificate template is not supported by this CA. A valid Certification Authority (CA) configured to issue certificates based on this template cannot be found, or the CA does not support this operation, or the CA is not trusted.

One can try to request a certificate based on a template using PowerShell:

$Cert = Get-Certificate -Template "YourTemplateName" -CertStoreLocation "cert:\CurrentUser\My"

Ended up with another error: 

Get-Certificate : CertEnroll::CX509Enrollment::InitializeFromTemplateName: Template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)

And this error appears in Event Viewer as:

EventID: 1064
Source: Terminalservices-RemoteConnectionManager
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.

Windows Server Event: The requested certificate template is not supported by this CA

specific reason forThe requested certificate template is not supported by this CA“Errors are:

  • certificate template is not published on ca host. Check that the certificate template you are requesting (either manually or via GPO) is published at your Certificate Authority. To display all available templates, run the command certutil –CATemplates , If the template you want isn’t on the list, just publish it. To do this, run the command certsrv.msc on your CA, then go to certificate template , new , Certificate Template for Issuance,
    Certification Authorities - Publish Certificate Template
    Also, make sure that you have specified the correct certificate template name in the Group Policy settings;
  • Check that your object can make requests on the certificate Security tab in the ACL Certificate Template Settings. While getting the certificate is allowed authentication user By default, this group can be manually removed from the template. Try requesting a certificate for the computer account:certreq -q -machine -enroll YourTemplateName

    If the computer account does not have permission to obtain the certificate, you will receive the following error:

    Certificate enrollment for Local system could not enroll for a YourTemplateName certificate. A valid certification authority cannot be found to issue this template.

    In this case, be sure to allow the template for the computer (group) that is to receive the certificate;

    Certificate Template Permissions - Allow Enrollment and Auto-Enrollment

  • Your Computer does not trust CA, If so, you’ll find the corresponding error in the client’s log (EventID: The CA certificate XXXXX is not trusted, Make sure clients trust your CA. The easiest way to do this is to deploy the CA root certificate to the domain computer using a GPO.

You may also like

Leave a Comment