1

I have a Subordinate CA running on Windows 2016 Server - its been issuing certs until recently where I am now only ever getting the error when trying to submit a CSR:

The request contains no certificate template information.
0x80094901 (-2146875391 CERTSRV_E_NO_CERT_TYPE)
Denied by Policy Module 0x90094801,
The request does not contain a certificate template extension of the CertificateTemplate request attribute

Any help appreciated.

EDIT:

When trying suggested: https://www.ntweekly.com/2016/08/12/ca-error-when-requesting-certificate-from-mmc-using-a-scr-file/

Error:

C:\Users\Administrator>certreq -submit -attrib "CertificateTemplate: Web Server" C:\Users\Administrator\Desktop\pfsense.txt
Active Directory Enrollment Policy
  {8D5864DC-B4A0-44B3-8065-ECF209FA0A18}
  ldap:
RequestId: 38
RequestId: "38"
Certificate not issued (Denied) Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Web Server.
 The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Certificate Request Processor: The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Web Server.

Web Server is a listed Certificate Template under my CA Certificate Templates

Jenny D
  • 27,780
  • 21
  • 75
  • 114
dross
  • 395
  • 2
  • 3
  • 10
  • How did you submit your CSR? – Broco Oct 02 '18 at 07:45
  • @Broco - I have tried different ways. Ultimately trying to get a certificate for my pfsense appliance. So tried the PFSense UI and then the openssl toolkit. I also tried resubmitting CSRs that were previously successful. – dross Oct 02 '18 at 07:49
  • 1
    Did you check this out? https://www.ntweekly.com/2016/08/12/ca-error-when-requesting-certificate-from-mmc-using-a-scr-file/ – Broco Oct 02 '18 at 07:50
  • The error clearly says where is the problem: request contains no certificate template extension. – Crypt32 Oct 02 '18 at 08:00
  • @Broco - Just ran through it (see Edit above) – dross Oct 02 '18 at 08:01
  • @Crypt32 - Correct I got that far but how do I embedd a cetificate template extension in the request? – dross Oct 02 '18 at 08:11
  • It depends on how you created the CSR. – Crypt32 Oct 02 '18 at 08:13
  • 1
    BTW, you have wrong template name in `certreq -submit` command. Certificate template attribute expects template's common name (which is `WebServer` for `Web Server` template), that is, the right syntax is: `certreq -submit -attrib "CertificateTemplate:WebServer"` – Crypt32 Oct 02 '18 at 08:17
  • @Crypt32 - Thanks for pointers. Now working. – dross Oct 02 '18 at 08:24

2 Answers2

2

I worked on this for an hour today and just figured out that "Web Server" was not a valid template and I was supposed to use "WebServer". A-r-r-rg!

sandi
  • 21
  • 2
  • Lucky you. I spent hours today. TemplateName and DisplayName aren't the same. Error: 0x80094901 solution: Check templante name in the manager – Carlos Garcia Oct 17 '22 at 12:32
0
C:\Users\Administrator>certreq -submit -attrib "CertificateTemplate:WebServer" C:\Users\Administrator\Desktop\pfsense.csr
Active Directory Enrollment Policy
  {8D5864DC-B4A0-44B3-8065-ECF209FA0A18}
  ldap:
RequestId: 44
RequestId: "44"
Certificate retrieved(Issued) Issued  The certificate validity period will be shorter than the WebServer Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA.  Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period.
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
dross
  • 395
  • 2
  • 3
  • 10