Let’s say you try to request a certificate from a Windows CA and get an error stating The requested certificate template is not supported by this CA. In my case, the problem occurred when I tried to request a TLS/SSL certificate to secure RDP connections using my RDSH host template.
When I tried to manually request a certificate using a template in the certmgr console, I got the following error:
Request Certificates: The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
One could try requesting a certificate based on a template using PowerShell:
$Cert = Get-Certificate -Template "YourTemplateName" -CertStoreLocation "cert:\CurrentUser\My"
Ending up with another error:
Get-Certificate : CertEnroll::CX509Enrollment::InitializeFromTemplateName: Template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
And here’s how this error looks in Event Viewer:
EventID: 1064 Source: Terminalservices-RemoteConnectionManager The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.
The typical reasons for the “The requested certificate template is not supported by this CA” error are:
- The certificate template is not published on the CA host. Check if the certificate template you are requesting (either manually or via a GPO) is published on your certificate authority. To display all available templates, run the command
certutil –CATemplates. If the template you want is not on the list, just publish it. To do this, run the commandcertsrv.mscon your CA, then go to Certificate Template -> New -> Certificate template to issue.
Also, make sure you specify the correct certificate template name in the Group Policy settings; - Check that your object can request the certificate on the Security tab in the ACL certificate template settings. While obtaining a certificate is allowed for Authentication Users by default, this group can be removed from the template manually. Try requesting a certificate for a computer account:
certreq -q -machine -enroll YourTemplateNameIf the computer account has no permission to obtain the certificate, you will get the following error:
Certificate enrollment for Local system could not enroll for a YourTemplateName certificate. A valid certification authority cannot be found to issue this template.
In this case, be sure to grant permissions to the template for the computer (group) that is supposed to receive the certificate;
- Your computer doesn’t trust the CA. If that’s the case, you’ll find the corresponding error in the client’s logs (EventID:
The CA certificate XXXXX is not trusted). Make sure the clients trust your CA. The easiest way to do this is to deploy the CA root certificate to the domain computers using a GPO.