If you see the message The requested certificate template is not supported by this CA when you request a certificate, then this post is intended to help you with the applicable fix to resolve the issue.
The full message description when this issue occurs reads as follows:
The requested certificate template is not supported by this CA.
A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
What is a CA template?
A certificate template defines the policies and rules that a Certification Authority (CA) uses when a request for a certificate is received. Many built-in templates can be viewed using the Certificate Templates snap-in. To request a certificate from Microsoft CA, connect to https://<servername>/certsrv, where <servername> is the hostname of the computer running the CA Web Enrollment role service. Click Request a certificate > Advanced certificate request > Create and submit a certificate request to this CA.
On the client machine that you want to enroll the certificate, in Event Viewer, under the Application log, Event ID: 53 – Active Directory Certificate Services denied the request because this CA does not support the requested certificate template. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE) will be logged.
The requested certificate template is not supported by this CA
For some reason or other, you may need to create your template for requesting certificates from a Windows CA, which could be for example, encrypting or signing documents. You may get the message The requested certificate template is not supported by this CA when you request a certificate based on the new template for the first time.
You’re likely to encounter this issue when using a custom template because that template does not appear in the Active Directory registration policy. If you try to work around this problem by selecting the Show all templates checkbox, the new template will be displayed, but with a status of Unavailable as shown in the lead-in image above — accordingly, you will not find the template in the list if you want to issue a certificate based on the new template.
To resolve this problem, you need to issue the new template via certsrv.msc by following these steps:
- Press the Windows key + R to invoke the Run dialog box.
- In the Run dialog box, type certsrv.msc and hit Enter to open Certification Authority.
Certification Authority (certsrv.msc) is only available on servers where the Active Directory Certificates Services role is installed. It is located in C:\Windows\System32 the directory. You can install the Certification Authority by following the steps outlined at microsoft.com.
- Alternatively, open Server Manager. Expand Roles > Active Directory Certificates Services.
- In the left pane, right-click Certificate Templates.
- Select New > Certificate Template to Issue.
- Now, select the new template from the list that appears.
- Click OK to confirm.
Now wait for about an hour and try to enroll the certificate on the client again. If the certificate still does not show run gpupdate /FORCE on all the domain controllers and the client.
That’s it! The template should be visible and available when you request the certificate in Certificate Manager (certmgr.msc).
Read: How to manage Trusted Root Certificates in Windows
How do I change permissions on a certificate template?
To change permissions on a certificate template, do the following:
- Open the Certification Authority on the CA server.
- Right-click the CA name and choose Properties.
- On the Security tab, add the group that contains the administrators.
- On the Permissions section, checkmark the Read box.
- Click OK to save changes.
Read: The timestamp signature and/or certificate could not be verified or is malformed.
