How to fix Certificate types are not available error

A digital certificate is issued by a Certification Authority (CA) that is deployed and managed within the organization’s local Active Directory infrastructure. You can also have public certificates which are issued by external CA’s commonly used to secure websites.

However, In this blog post, we will discuss different error messages that you may get when we request a certificate from local certificate authority (Active Directory Certificate Services).

However, there are some other errors that are related to the certificate types. You may get any of the error messages. Each will have a different solution.

To request a certificate from a certificate authority, you need to follow below steps:

  • Press the Windows key + R together to open the Run box.
  • Type certlm.msc to open Local machine level Certificate request snap-in.
  • Type certmgr.msc to open User level Certificate request snap-in.
  • Right-click on Personal > Click on All Tasks > Request New Certificate.
Certmgr - requesting new certificate
  • On the Certificate Enrollment page. Click on Next.
  • On the Select Certificate Enrollment Policy page, the default selection will be Active Directory Enrollment Policy. Click on Next to proceed.

You may get the message “Certificate types are not available“. “You cannot request a certificate at this time because no certificate types are available. If you need a certificate, please contact your administrator“.

Certificate types are not available

What’s the cause of this Issue?

The issue described could occur when a root certificate is not installed on the device from which you’re requesting a certificate. When you deploy a new certificate authority in your Active Directory infrastructure, it’s essential to distribute the root certificate across all your client devices. This distribution is necessary to establish trust between your client devices and the certificate authority (CA).

How to fix this Issue?

You have several methods for distributing the root certificate, including using group policies, PowerShell scripts, Microsoft Intune, and more.

You can export the root certificate from your Certificate Authority by following these steps:

  1. Open “certlm.msc” (Certificate Manager) on the CA server.
  2. In the left pane, navigate to the “Trusted Root Certification Authorities” folder.
  3. Select the root certificate you want to export.
  4. Right-click on the selected certificate.
  5. Choose “All Tasks” and then “Export

Import the root certificate on the device from where you are requesting certificates from the CA and after that initiate another certificate request. This time you will not see the error message “Certificate types are not available“.

After addressing the “Certificate types are not available” issue, you will be able to access the “Request Certificates” page without further problems. However, if you encounter other errors or issues related to certificate requests, those can be addressed in subsequent sections or troubleshooting steps.

When you access the “Request Certificates” page, you will find a list of available certificates for enrollment. If you want to view all available certificate templates from the Certificate Authority, you can click on the checkbox labeled “Show all templates.”

However, you may notice that some templates have a status of “Unavailable” and there will be a reason provided under the “Status” column explaining why the template is not available for enrollment. This status and the reason will help you understand why certain certificate templates are currently unavailable for use.

Let’s check the different Status messages and see their solutions:

Error 1: This type of certificate can be issued only to a computer

The error message “This type of certificate can be issued only to a computer” typically indicates that you are attempting to request or enroll for a certificate that is specifically designed for computer accounts, but the request is being made for a user or service account.

For Example: Let’s say you want to enroll in a computer certificate but you are requesting a certificate for a user account. This could happen when you are using a User Certificate snap-in. User Certificate snap-in can be opened using certmgr.msc.

  • Press Windows key + R together to open Run box.
  • Type certmgr.msc to open User level Certificate request snap-in.
  • Right-click on Personal > Click on All Tasks > Request New Certificate.

Click on “Show all templates” to see all the available templates from CA. As you can see from the below screenshot, You cannot select the “Computer” certificate template. Its status shows as Unavailable and the reason is listed below the status. The specified role was not configured for the application. This type of certificate can be issued only to a computer.

This type of certificate can be issued only to a computer

To Fix this issue, you need to open the Certificate snap-in from your Computer account. I normally prefer to use a shortcut to open the local machine Certificate Snap-in using Certlm.msc. To open local machine Certificate Snap-in, please follow the below steps:

  • Press Windows key + R together to open Run box.
  • Type certlm.msc to open machine-level Certificate request snap-in.
certlm.msc

When you open the Certificates snap-in for the computer and request the certificate, you can see that the Computer template is now available for Enrollment.

Computer certificate snap-in

Error 2: This type of certificate can be issued only to a user

Similar to Error 1, you could also find a Certificate template status unavailable with an error message ” This type of certificate can be issued only to a user”. To Fix this issue, You need to request the certificate from a User account instead of a computer account. To open the User Certificate snap-in, please follow below steps:

  • Press Windows key + R together to open Run box.
  • Type certmgr.msc to open machine-level Certificate request snap-in.

Error 3: You do not have permission to request this type of certificate

The error message “You do not have permission to request this type of certificate” typically occurs when you’re trying to request a certificate that your user account or system does not have the necessary permissions for.

For example: I tried to request for Web Server certificate for my computer using Computer Certificates snap-in. As the template was not showing in the list, I clicked on the “Show all templates” checkbox to reveal all Certificate templates. I scrolled down in the list to find the Web Server Certificate template.

However, the Web Server template Status was Unavailable with the error “The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate.

You do not have permission to request this type of certificate

To Fix this issue, We need to allow enroll permissions on the Web server template to this computer on the CA. So that this computer can enroll and create the certificate. Let’s check the steps:

  • Login on the Certificate Authority Server with administrator rights.
  • Press the Windows key + R together to open the Run box.
  • Type certsrv.msc and press Enter to open Certificate Authority Console.
certsrv.msc
  • Right-click on the Certificate Templates folder and click on Manage.
Certificate Template Management
  • Find the Web Server certificate template and right-click on it. Select Properties.
Web server Certificate Template
  • Click on Add to add your computer account which will be requesting for Web server certificate. Select the computer account and provide Enroll permission.
Enroll permissions Certificate Template
  • Go back to the computer and request for Web Server certificate this time. You can see that the Web Server certificate template is now available to select from TP-DC1 server.
Request Web Server certificate template

Error 4: A valid certification authority (CA) cannot be located or the CA is not trusted

Another type of error you may see is related to Certificate Authority itself. When a client requesting for certificate cannot locate CA or is not trusted.

The exact error message is “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. A valid certificate authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.

A valid certification authority (CA) cannot be located or CA is not trusted

To Fix this issue, you will need to make sure that the Root certificate of Certificate Authority is installed in the Trusted Root Certification Authorities Folder on the client who is requesting a certificate. Once its installed, try to request the certificate again. This time you will not see this error.

Install Root Certificate on Windows Client

Conclusion

In this blog post, we’ve discussed various error messages that can occur when requesting a certificate from a local Active Directory Certificate Authority (CA) and how to resolve each of these errors. It’s crucial to ensure that you have the root certificate installed on all client computers to establish trust between clients and the CA, ensuring the completeness of the certificate chain. We hope this article helps resolve many of the issues you may encounter when requesting certificates.

Leave a Comment