При попытке запросить сертификат у Windows CA появляется ошибка
Затребованный шаблон сертификата этим ЦС не поддерживается
/
The requested certificate template is not supported by this CA
. В моем случае ошибка появилась при попытке запросить TLS/SSL сертификат для защиты RDP подключений на основе шаблона для серверов RDSH.
При ручном запросе сертификата на основе шаблона через консоль certmgr появляется ошибка:
Request Certificates: The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
Можно попробовать запросить сертификат на основе шаблона с помощью PowerShell:
$Cert = Get-Certificate -Template "YourTemplateName" -CertStoreLocation "cert:\CurrentUser\My"
При этом появляется ошибка:
Get-Certificate : CertEnroll::CX509Enrollment::InitializeFromTemplateName: Template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
В Event Viewer эта ошибка выглядит так:
EventID: 1064 Source: Terminalservices-RemoteConnectionManager The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.
Причинами ошибки «The requested certificate template is not supported by this CA» обычно являются:
- Данный шаблон сертификата не опубликован на хосте с центром сертификации. Проверьте, опубликован ли шаблон сертификата, который вы запрашивает (вручную или через GPO) на вашем центре сертификации. Чтобы вывести все доступные шаблоны, выполните команду:
certutil –CATemplates
. Если нужного шаблона нет в списке, опубликуйте его. Для этого запустите консоль
certsrv.msc
на вашем CA и выберите Certificate Template -> New -> Certificate template to issue. Также проверьте, что в настройках групповой политики указано корректное имя шаблона сертификата; - Проверьте, что в настройках шаблона ACL сертификата на вкладке Security вашему объекту разрешено запрашивать сертификат. По умолчанию получение сертификата разрешено для Authentication Users, но эта группа может быть вручную удалена из шаблона. Попробуйте запросить сертификата для учетной записи компьютера:
certreq -q -machine -enroll YourTemplateNameЕсли у учетной записи компьютера нет прав на получение сертификата, появится ошибка:
Certificate enrollment for Local system could not enroll for a YourTemplateName certificate. A valid certification authority cannot be found to issue this template.
В этом случае не забудьте предоставить права на шаблон для компьютера, который должен получать сертификат.
- Ваш компьютер не доверяет центру сертификации. В этом случае в логах клиентах должна быть ошибка
EventID: The CA certificate XXXXX is not trusted
. Убедитесь, что клиенты доверяют вашему CA. Проще всего распространить корневой сертификат центра сертификации на компьютеры домена с помощью GPO.
20.03.2025, 13:21. Показов 482. Ответов 0
Всем привет!
Собственно, проблема следующая: не отображаются шаблоны сертификатов при выборе CEP через certlm.msc на доменном компьютере.
Теперь расскажу, что сделал и что пробовал:
Решил сначала в рамках эксперимента попробовать всё это развернуть в виртуальной среде. Имеется:
- Windows Server 2025 с AD и CA на борту
- Windows клиент, введенный в домен
На сервер с AD и CA установил роль Certificate Enrollment Policy Web Service, настроил его как Windows Authentication (использование Kerberos). По мануалам в интернете и с сайта Microsoft донастроил IIS, поменял UID, ссылку и задал Friendly Name. В ADSI в pkiEnrollmentService указал ссылку на CEP — 120https://cep.domain.local/ADPolicyProvider_CEP_Kerberos/service.svc/CEP (цифра 2 в документации Microsoft означает Kerberos).
После всего этого дублировал шаблон Computer, разрешил чтение и выпуск сертификата доменным компьютерам, опубликовал шаблон.
На доменном компьютере вручную задал политику регистрации, прописал ссылку на мой CEP со встроенной проверкой Windows, проверка прошла успешно, политика добавилась. При попытке запросить новый сертификат и выборе добавленной политики — появляется окно с сообщением, что «Типы сертификатов недоступны. Вы сейчас не можете запросить сертификт, так как типы сертификатов недоступны. Если необходио получить сертификат, обратитесь к администратору».
При этом, если выбрать политику регистрации AD — опубликованный шаблон отображается.
Может быть кто-то сталкивался с такой проблемой или разбирается в CEP и сможет подсказать, в чём косяк?
Readers help support Windows Report. We may get a commission if you buy through our links.
Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more
If you encounter the request contains no certificate template information in Windows, this article will provide you with the methods to solve it.
When you try to sign or submit a CSR on Windows using Certificate Authority (CA), it should be finished successfully. But, in some cases, you may get a certificate request processor error. When it appears, you may see the following error message:
The request contains no certificate template information. 0x80094801 (-2146875391) Denied by policy module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute
This problem appears on any Windows edition, especially the Windows Server or Enterprise versions.
What causes no certificate template information error?
If you repeatedly face this problem, it can be because of the following reasons:
- No embedded certificate template: If the certificate signing request file does not have an embedded template, you will encounter this problem.
- Improper method: Your method of signing or issuing the certificate may have some problems.
- No template name is specified: If you don’t specify the template name, you will get this error.
How can I fix the request contains no certificate template information on Windows?
Before going through our recommended methods, we suggest you do the following:
- Make sure that any security patch update of your Windows server or PC is not pending.
- Ensure that the CSR file you are trying to sign has no problem.
After ensuring the above things, follow these methods to fix no certificate template information error:
1. Specify the certificate template
- Open the Start Menu, and type cmd.
- Right-click on the Command Prompt and choose Run as administrator.
- Type the following command by replacing the necessary strings with your ones and press Enter to execute it:
certreq -submit -config "Your_Existing_Config_Name" -attrib "CertificateTemplate:Your_Existing_Template_Name" your_CSR_File.csr
Make sure to replace the parameters. For example, your one may look like the following: certreq -submit -config "MyIssuingCA" -attrib "CertificateTemplate:CA11-SUN-SSL-C3-1" CertRequest.csr
You also can run the command without specifying the CSR file. In this case, a pop window will appear and ask to select the CSR file.
If you want to view the Windows CA template list, you can use the following command:
certutil -CATemplates -Config Machine\CAName
2. Try signing with no template information
- Open the command prompt as administrator, as shown before.
- Type the following command and hit Enter:
certreq -submit -attrib CertificateTemplate:Webserver
- Now, choose the CSR file when a pop-up window appears and asks you to do it and click on OK.
- Save the certificate when it asks to save it.
- Microsoft’s hotpatching for Windows Server 2025 to be subscription-based starting July
- Fix: An Error Occurred While Loading a Higher Quality Version of This Video
- iTunesMobileDevice.dll is Missing From Your Computer [Solved]
- SYNSOACC.DLL Could Not Be Located: How to Fix in Cubase
After saving, you should find the certificate file where you have saved it. Now, you can use it in your own way.
These methods will help you to sign a CSR file by avoiding the error the request contains no certificate template information on Windows PC or server.
You also can avoid encountering this problem without trying it from the command line. In this case, you will need to specify the template on the GUI of Certificate Authority manually. But, using the command line way mentioned in this article is the best idea. It will save you time.
If necessary, you also can learn how to solve Windows doesn’t have enough information to verify this certificate.
In this post, you have learned how to solve the request contains no certificate template information error. If you have any better ideas to tackle this problem, feel free to let us know in the comment box.
Hasibul Kabir
Windows Software Expert
Hasibul Kabir is a Tech-Enthusiast Blogger, Web Developer & Hobbyist Game Developer. Writing about Technology, mainly Windows, Mac, iOS, etc., is his main focus, besides doing some computer science-related work.
He loves exploring new technology and presenting it with simple words to the audience. When not at work, Hasibul plays video games, explores nature, tastes delicious foods, or learns new things.
Let’s say you try to request a certificate from a Windows CA and get an error stating The requested certificate template is not supported by this CA. In my case, the problem occurred when I tried to request a TLS/SSL certificate to secure RDP connections using my RDSH host template.
When I tried to manually request a certificate using a template in the certmgr console, I got the following error:
Request Certificates: The requested certificate template is not supported by this CA. A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
One could try requesting a certificate based on a template using PowerShell:
$Cert = Get-Certificate -Template "YourTemplateName" -CertStoreLocation "cert:\CurrentUser\My"
Ending up with another error:
Get-Certificate : CertEnroll::CX509Enrollment::InitializeFromTemplateName: Template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
And here’s how this error looks in Event Viewer:
EventID: 1064 Source: Terminalservices-RemoteConnectionManager The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.
The typical reasons for the “The requested certificate template is not supported by this CA” error are:
- The certificate template is not published on the CA host. Check if the certificate template you are requesting (either manually or via a GPO) is published on your certificate authority. To display all available templates, run the command
certutil –CATemplates. If the template you want is not on the list, just publish it. To do this, run the commandcertsrv.mscon your CA, then go to Certificate Template -> New -> Certificate template to issue.Also, make sure you specify the correct certificate template name in the Group Policy settings;
- Check that your object can request the certificate on the Security tab in the ACL certificate template settings. While obtaining a certificate is allowed for Authentication Users by default, this group can be removed from the template manually. Try requesting a certificate for a computer account:
certreq -q -machine -enroll YourTemplateNameIf the computer account has no permission to obtain the certificate, you will get the following error:
Certificate enrollment for Local system could not enroll for a YourTemplateName certificate. A valid certification authority cannot be found to issue this template.
In this case, be sure to grant permissions to the template for the computer (group) that is supposed to receive the certificate;
- Your computer doesn’t trust the CA. If that’s the case, you’ll find the corresponding error in the client’s logs (EventID:
The CA certificate XXXXX is not trusted). Make sure the clients trust your CA. The easiest way to do this is to deploy the CA root certificate to the domain computers using a GPO.
A few days ago I wanted to manually enroll a certificate for a computer of another forest through web enrollment.
However, the certificate didn’t show up among other certificates for web enrollment.
First of all, I verified that my account had as least Read and Enroll permissions.
This is usually where you have to go because basically a computer template has mainly only permissions for computers, and, except if you are a member of Domain Admin or Enterprise Admins, you won’t be able to see and enroll the certificate.
However, I am a domain admin but still not able to see the template appearing in the list for web enrollment.
And moreover, other templates showed up in the list.
Thus I decided to create a copy of one of these templates showing up and apply setting by setting, the same settings as the one not showing up.
And finally, the winner was: the subject name.
I selected Build from this Active Directory information, and that’s why the template didn’t show up for web enrollment.
As soon as I selected Supply in the request, the certificate appeared in the list.
Please note: if you change a template’s settings you have to unpublish and then publish it again in order to have the new settings to be applied.
Update
There is another case where the template does not show up: when it is not compatible with the version of the computer requesting it.
