Fix Certificate types are not available error

Photo of author
Jatin Makhija
0

In this blog post, we will understand different error messages you may get when we request a certificate from an Active Directory Certificate Services (ADCS) including Certificate types are not available error message.

For requesting a certificate from ADCS, please follow below steps:

  • Login to any domain joined Windows computer.
  • Press the Windows key + R together to open the Run box.
  • Type certlm.msc or certmgr.msc to open the Certification snap-in in device context or user context. I have opened the snap-in in user context by using certmgr.msc.
  • Right-click on Personal > Click on All Tasks > Request New Certificate.
Request New Certificate option
Request New Certificate option
  • On the Certificate Enrollment page. Click on Next.
  • The default selection on the Select Certificate Enrollment Policy page will be Active Directory Enrollment Policy. Click on Next to proceed.
  • You may get the error message that Certificate types are not available.

You cannot request a certificate at this time because no certificate types are available. If you need a certificate, please contact your administrator.

Certificate types are not available

Root Cause of Certificate types are not available Error

you may see this error when a root certificate is not installed on the device you are requesting the certificate from. When you deploy a new certificate authority in your Active Directory infrastructure, you must distribute the root certificate across all your client devices. This distribution is necessary to create trust between your client devices and the certificate authority (CA).

Fix Certificate types are not available Issue

To fix this error, we need to install a root certificate on the device first before we can request a certificate from ADCS. You have several methods for distributing the root certificate, including group policies, PowerShell scripts, Microsoft Intune, and more.

Before installing or distributing root certificate on devices, we need to export it first from Active directory Certificate authority server. Let’s check the steps:

  1. Open certlm.msc (Certificate Manager) on the CA server.
  2. In the left pane, navigate to the Trusted Root Certification Authorities folder.
  3. Select the root certificate you want to export.
  4. Right-click on the selected certificate.
  5. Choose All Tasks and then Export.

Import the root certificate on the device from which you request certificates from the CA and initiate another certificate request. This time, you will not see that the error message Certificate types are unavailable.

After addressing the issue of the unavailable certificate types, you can access the Request Certificates page without further problems. There could be other errors related to requesting certificate from ADCS. We have addressed those in the next sections of the blog post.

When you access the Request Certificates page, you will find a list of available certificates for enrollment. To view all available certificate templates from the Certificate Authority, click on the checkbox labeled Show all templates.

However, you may notice that some templates have a status of Unavailable, and a reason will be provided under the Status column explaining why the template is not available for enrollment. This status and the reason will help you fix the issue. Let’s look at those issues and how to fix them.

Error 1: This type of certificate can be issued only to a computer

The error message This type of certificate can be issued only to a computer, which typically means that you are attempting to request or enroll for a certificate specifically designed for computer accounts. However, the request is being made for a user or service account.

For Example, let’s say you want to enroll in a computer certificate but request a certificate for a user account. This could happen when you are using a User Certificate snap-in. User Certificate snap-in can be opened using certmgr.msc.

  • Press the Windows key + R together to open the Run box.
  • Type certmgr.msc to open certificate request snap-in in the user context.
  • Right-click on Personal > Click on All Tasks > Request New Certificate.

Click on Show all templates to see all the available templates from CA. As you can see from the screenshot below, you cannot select the Computer certificate template. Its status shows as Unavailable, and the reason is listed below the status: The specified role was not configured for the application. This type of certificate can be issued only to a computer.

This type of certificate can be issued only to a computer
This type of certificate can be issued only to a computer

To fix this issue, open the Certificate snap-in from your Computer account. I normally prefer a shortcut to open the local machine Certificate Snap-in using Certlm.msc. To open local machine Certificate Snap-in, please follow the below steps:

  • Press the Windows key + R together to open the Run box.
  • Type certlm.msc to open machine-level Certificate request snap-in.
certlm.msc to open machine level certificate snap-in
certlm.msc to open machine level certificate snap-in
  • When you open the Certificates snap-in for the computer and request the certificate, you can see that the Computer template is now available for Enrollment.
Fix Error: This type of certificate can be issued only to a computer
Fix Error: This type of certificate can be issued only to a computer

Error 2: This type of Certificate can be issued only to a user

Like Error 1, you could also find a Certificate template status unavailable with an error message, This type of certificate can be issued only to a user. To fix this issue, request the certificate from a Certificate snap-in opened in the user context. To open the User Certificate snap-in, please follow the below steps:

  • Press the Windows key + R together to open the Run box.
  • Type certmgr.msc to open user-level Certificate request snap-in.

Error 3: You do not have permission to request this type of certificate

The error message You do not have permission to request this type of certificate typically occurs when you’re trying to request a certificate that your user account or system does not have the necessary permissions.

For example, I tried to request a Web Server certificate for my computer using a Computer Certificates snap-in. As the template was not showing in the list, I clicked on the Show all templates checkbox to reveal all Certificate templates. I scrolled down in the list to find the Web Server Certificate template.

However, the Web Server template Status was showing Unavailable with the error The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate.

You do not have permission to request this type of certificate

We need to allow enrollment permissions on the web server template for this computer on the CA to fix this issue. So that this computer can enroll and create the certificate. Let’s check the steps:

  • Log in to the Certificate Authority Server with administrator rights.
  • Press the Windows key + R together to open the Run box.
  • Type certsrv.msc and press Enter to open the Certificate Authority Console.
certsrv.msc
  • Right-click on the Certificate Templates folder and click on Manage.
Right-click Certificate Template > Manage
  • Find the Web Server certificate template and right-click on it. Select Properties.
Web server Certificate Template
  • Click on Add to add your computer account, requesting the Web server certificate. Select the computer account and check Allow permission to Enroll.
Enroll permissions Certificate Template
  • Go back to the computer and request a Web Server certificate this time. The Web Server certificate template is now available to select from the TP-DC1 server.
Request Web Server certificate template

Error 4: A valid certification authority (CA) cannot be located or the CA is not trusted

Another error you may see is related to the Certificate Authority when a client requesting a certificate cannot locate the CA or is not trusted.

The exact error message is “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. A valid certificate authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

Error
A valid certification authority (CA) cannot be located or CA is not trusted

To fix this issue, you will need to make sure that the Root certificate of Certificate Authority is installed in the Trusted Root Certification Authorities Folder on the client who is requesting a certificate. Once it’s installed, try to request the certificate again. This time, you will not see this error.

Install Root Certificate on Windows Client

Conclusion

In this blog post, we’ve discussed various error messages that can occur when requesting a certificate from a local Active Directory Certificate Authority (CA) and how to resolve each error.

It’s important to ensure that the root certificate is installed on all client computers to establish trust between clients and the CA and ensure the completeness of the certificate chain. We hope this article helps resolve many issues you may encounter when requesting certificates.

DNS Aging and Scavenging – A Comprehensive Guide
Set Desktop and Lock Screen Wallpaper via Group Policy

Leave a Comment

Comprehensive Step-by-Step Guides: SetUp/Troubleshooting/Configuring Solutions for Intune, Microsoft 365, Windows 365, PowerShell, Windows, Azure, and other Cloud Technologies.

About the author
Contact Us
Privacy Policies
Comment Policies
Cookie Policies

Enter your email address to subscribe to this blog and receive notifications of new posts by email.