How To Fix The Requested Certificate Template is not Supported by This CA

Jason Barrett Jason Barrett | | Misc

Today I created a new certificate on our active directory certification authority and when I went to enrol it on the client the new cert showed the error “The Requested Certificate Template is not Supported by This CA, A valid certification (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted” as shown below

The Requested Certificate Template is not Supported by This CA

At first this error is quite scary, but don’t worry as it is easily fixed.

Where You Will See The Error

You will see this error when submitting a new certificate request on a client that you are trying to enrol the certificate on.

In MMC.exe you add the certificates addon and then browse to Certificates > Personal > Certificates > All Tasks > Request New Certificate

new certificate request

Click Next, Click Next, I expected to see my new certificate in the “Request Certificates” window.  I then ran “GPUPDATE /FORCE” on the client and all domain controllers, waiting an hour and the certificate still did not show.  I then ticked the box “Show all templates” scrolled down and there I saw my new certificate with an error next to it (As shown in the first picture in this post).

show all certificate templates

I opened the eventvwr and under the application log I saw an error Event ID: 53 Message : Active Directory Certificate Services denied the request because the requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)

How To Fix The Requested Certificate Template is not Supported by This CA

To fix this error I did the following

  1. Log on to the Certification Authority where the certificate was created
  2. Open the Certification Authority application via the start menu
  3. On the certificate template folder right click and select New > Certificate Template to Issue
    certificate template to issue
  4. On the next screen select the certificate then hit ok
    enable certificate templates
  5. Now wait some time (Up to an hour) and try to enrol the certificate on the client again.
  6. If the certificate still does not show run GPUPDATE /FORCE on all the domain controllers and the client