Assume that you try to request a certificate from a Windows CA and receive an error stating
The requested certificate template is not supported by this CA, In my case, the problem occurred when I tried to request a TLS/SSL certificate to secure an RDP connection using my RDSH host template.
certmgr Console, I got the following error:
Request Certificates: The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
One can try to request a certificate based on a template using PowerShell:
$Cert = Get-Certificate -Template "YourTemplateName" -CertStoreLocation "cert:\CurrentUser\My"
Ended up with another error:
Get-Certificate : CertEnroll::CX509Enrollment::InitializeFromTemplateName: Template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
And this error appears in Event Viewer as:
EventID: 1064 Source: Terminalservices-RemoteConnectionManager The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.
specific reason forThe requested certificate template is not supported by this CA“Errors are:
- certificate template is not published on ca host. Check that the certificate template you are requesting (either manually or via GPO) is published at your Certificate Authority. To display all available templates, run the command
certutil –CATemplates, If the template you want isn’t on the list, just publish it. To do this, run the command
certsrv.mscon your CA, then go to certificate template , new , Certificate Template for Issuance,
Also, make sure that you have specified the correct certificate template name in the Group Policy settings;
- Check that your object can make requests on the certificate Security tab in the ACL Certificate Template Settings. While getting the certificate is allowed authentication user By default, this group can be manually removed from the template. Try requesting a certificate for the computer account:
certreq -q -machine -enroll YourTemplateName
If the computer account does not have permission to obtain the certificate, you will receive the following error:
Certificate enrollment for Local system could not enroll for a YourTemplateName certificate. A valid certification authority cannot be found to issue this template.
In this case, be sure to allow the template for the computer (group) that is to receive the certificate;
- Your Computer does not trust CA, If so, you’ll find the corresponding error in the client’s log (EventID:
The CA certificate XXXXX is not trusted, Make sure clients trust your CA. The easiest way to do this is to deploy the CA root certificate to the domain computer using a GPO.
Leave a Comment