Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2019 / Fix: The Requested Certificate Template is Not Supported by This CA

January 9, 2023 Active DirectoryWindows 10Windows Server 2016Windows Server 2019

Fix: The Requested Certificate Template is Not Supported by This CA

Let’s say you try to request a certificate from a Windows CA and get an error stating The requested certificate template is not supported by this CA. In my case, the problem occurred when I tried to request a TLS/SSL certificate to secure RDP connections using my RDSH host template.

When I tried to manually request a certificate using a template in the certmgr console, I got the following error:

Request Certificates:
The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

certificate enrollment: The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

One could try requesting a certificate based on a template using PowerShell:

$Cert = Get-Certificate -Template "YourTemplateName" -CertStoreLocation "cert:\CurrentUser\My"

Ending up with another error:

Get-Certificate : CertEnroll::CX509Enrollment::InitializeFromTemplateName: Template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)

And here’s how this error looks in Event Viewer:

EventID: 1064
Source: Terminalservices-RemoteConnectionManager
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.

Windows Server event: The requested certificate template is not supported by this CA

The typical reasons for the “The requested certificate template is not supported by this CA” error are:

  • The certificate template is not published on the CA host. Check if the certificate template you are requesting (either manually or via a GPO) is published on your certificate authority. To display all available templates, run the command certutil –CATemplates . If the template you want is not on the list, just publish it. To do this, run the command certsrv.msc on your CA, then go to Certificate Template -> New -> Certificate template to issue.
    certification authority - publish certificate template
    Also, make sure you specify the correct certificate template name in the Group Policy settings;
  • Check that your object can request the certificate on the Security tab in the ACL certificate template settings. While obtaining a certificate is allowed for Authentication Users by default, this group can be removed from the template manually. Try requesting a certificate for a computer account:certreq -q -machine -enroll YourTemplateName

    If the computer account has no permission to obtain the certificate, you will get the following error:

    Certificate enrollment for Local system could not enroll for a YourTemplateName certificate. A valid certification authority cannot be found to issue this template.

    In this case, be sure to grant permissions to the template for the computer (group) that is supposed to receive the certificate;

    certificate template permissions - allow to enroll and autoenroll

  • Your computer doesn’t trust the CA. If that’s the case, you’ll find the corresponding error in the client’s logs (EventID: The CA certificate XXXXX is not trusted). Make sure the clients trust your CA. The easiest way to do this is to deploy the CA root certificate to the domain computers using a GPO.

0 comment
0
Facebook Twitter Google + Pinterest
previous post
How to Remove Hidden/Ghost Network Adapters in Windows?
next post
MS SQL Server Setup Stucks on Install/Uninstall

Related Reading

Using Previous Command History in PowerShell Console

January 31, 2023

How to Install the PowerShell Active Directory Module...

January 31, 2023

Enable Internet Explorer (IE) Compatibility Mode in Microsoft...

January 27, 2023

Finding Duplicate E-mail (SMTP) Addresses in Exchange

January 27, 2023

How to Disable or Uninstall Internet Explorer (IE)...

January 26, 2023

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Using Previous Command History in PowerShell Console

    January 31, 2023
  • How to Install the PowerShell Active Directory Module and Manage AD?

    January 31, 2023
  • Finding Duplicate E-mail (SMTP) Addresses in Exchange

    January 27, 2023
  • How to Delete Old User Profiles in Windows?

    January 25, 2023
  • How to Install Free VMware Hypervisor (ESXi)?

    January 24, 2023
  • How to Enable TLS 1.2 on Windows?

    January 18, 2023
  • Allow or Prevent Non-Admin Users from Reboot/Shutdown Windows

    January 17, 2023
  • Fix: Can’t Extend Volume in Windows

    January 12, 2023
  • Wi-Fi (Internet) Disconnects After Sleep or Hibernation on Windows 10/11

    January 11, 2023
  • Adding Trusted Root Certificates on Linux

    January 9, 2023

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • How to Automatically Fill the Computer Description in Active Directory?
  • Converting UserAccountControl Attribute Values in Active Directory
  • Adding Domain Users to the Local Administrators Group in Windows
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top