A digital certificate is issued by a Certification Authority (CA) that is deployed and managed within organization’s local Active directory infrastructure. You can also have public certificates which are issued by external CA’s commonly used to secure websites.
However, In this blog post we will discuss about different error messages which we get when we request a certificate from local certificate authority (Active Directory Certificate Services).
Certificate types are not available is also one of the errors. However there are some other errors which are related to the certificate types. You may get any of the error messages. Each will have a different solution.
To request a certificate from certificate authority, you need to follow below steps:
- Press Windows key + R together to open Run box.
- Type certlm.msc to open Local machine level Certificate request snap-in.
- Type certmgr.msc to open User level Certificate request snap-in.
- Right click on Personal > Click on All Tasks > Request New Certificate..
- On Certificate Enrollment page. Click on Next.
- On Select Certificate Enrollment Policy page, default selection will be Active Directory Enrollment Policy. Click on Next to proceed.
You may get the message “Certificate types are not available“. “You cannot request a certificate at this time because no certificate types are available. If you need a certificate, please contact your administrator“.
This issue could occur if you do not have a root certificate installed on the device from where you are requesting a certificate. When you deploy a new certificate authority in your active directory infrastructure, root certificate needs to be distributed across all your client devices to establish trust between your client devices and CA.
You can distribute the root certificate by different methods. For example, using group policies or powershell script or Microsoft Intune etc. Whichever way you use, the root certificate must exist on the client computers in your AD organization to be able to request a certificate.
You can export root certificate from your Certificate Authority by opening certlm.msc and going to Trusted Root certification Authorities folder. Select the root certificate > right-click on it > All Tasks > Export.
Import the root certificate on the device from where you are requesting certificates from the CA and after that initiate another certificate request. This time you will not see the error message “Certificate types are not available“.
There could be other errors related to requesting certificates which we will look into it in the next sections. After you fix “Certificate types are not available” issue, you will be able to see Request Certificates page.
On Request Certificates page, you will see the available certificates for enrollment. Click on checkbox Show all templates to show all other templates from Certificate authority. However, you will notice that the template status is Unavailable and there will be a reason given under the Status which shows why the template is not available for enrollment.
Lets check the different Status messages and see their solutions:
Error 1: This type of certificate can be issued only to a computer
The error message “This type of certificate can be issued only to a computer” typically indicates that you are attempting to request or enroll for a certificate that is specifically designed for computer accounts, but the request is being made for a user or service account.
For Example: Let’s say you want to enroll a computer certificate but you are requesting a certificate for a user account. This could happen when you are using User Certificate snap-in. User Certificate snap-in can be opened using certmgr.msc.
- Press Windows key + R together to open Run box.
- Type certmgr.msc to open User level Certificate request snap-in.
- Right click on Personal > Click on All Tasks > Request New Certificate..
Click on “Show all templates” to see all the available templates from CA. As you can see from below screenshot, You cannot select “Computer” certificate template. Its status shows as Unavailable and the reason is listed below the status. The specified role was not configured for the application. This type of certificate can be issued only to a computer.
To Fix this issue, you need to open the Certificate snap-in from Computer account. I normally prefer to use a shortcut to open local machine Certificate Snap-in using Certlm.msc. To open local machine Certificate Snap-in, please follow below steps:
- Press Windows key + R together to open Run box.
- Type certlm.msc to open machine level Certificate request snap-in.
When you open Certificates snap-in for the computer and request for the certificate, you can see that Computer template is now available for Enrollment.
Error 2: This type of certificate can be issued only to a user
Similar to the Error 1, you could also find a Certificate template status unavailable with an error message “ This type of certificate can be issued only to a user“. To Fix this issue, You need to request the certificate from a User account instead of computer account. To open User Certificate snap-in, please follow below steps:
- Press Windows key + R together to open Run box.
- Type certmgr.msc to open machine level Certificate request snap-in.
Error 3: You do not have permission to request this type of certificate
The error message “You do not have permission to request this type of certificate” typically occurs when you’re trying to request a certificate that your user account or system does not have the necessary permissions for.
For example: I tried to request for Web Server certificate for my computer using Computer Certificates snap-in. As the template was not showing in the list, I clicked on “Show all templates” checkbox to reveal all Certificate templates. I scrolled down in the list to find Web Server Certificate template.
However, Web Server template Status was Unavailable with error “The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate.“
To Fix this issue, We need to allow enroll permissions on the Web server template to this computer on the CA. So that this computer can enroll and create the certificate. Let’s check the steps:
- Login on the Certificate Authority Server with administrator rights.
- Press Windows key + R together to open Run box.
- Type certsrv.msc and press Enter to open Certificate Authority Console.
- Right click on Certificate Templates folder and click on Manage.
- Find Web Server certificate template and right-click on it. Select Properties.
- Click on Add to add your computer account which will be requesting for Web server certificate. Select the computer account and provide Enroll permission.
- Go back to the computer and request for Web Server certificate this time. You can see that Web Server certificate template is now available to select from TP-DC1 server.
Error 4: A valid certification authority (CA) cannot be located or CA is not trusted
Another type of error you may see is related to Certificate Authority itself. When a client requesting for certificate cannot locate CA or is not trusted.
The exact error message is “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. A valid certificate authority (CA) cofigured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.“
To Fix this issue, you will need to make sure that Root certificate of Certificate Authority is installed in Trusted Root Certification Authorities Folder on the client which is requesting a certificate. Once its installed, try to request the certificate again. This time you will not see this error.
Conclusion
In this blog post, we have seen different error messages while requesting a certificate from local Active Directory Certificate Authority (CA) and also how to fix each one of the errors. Please make sure that you have a root certificate installed on all client computers otherwise the trust between client and CA cannot be established and certificate chain will not be complete. Hope this article will resolve many of your issues related to requesting a certificate.
READ NEXT
- How To Add A Group Tag To Autopilot Devices In Intune Using Powershell.
- Disable TLS 1.0 And TLS 1.1 On Nginx Server.
- Audit Report Of Emails With Specific File Attachment Extension In Microsoft 365.
- Bypass Spam Filtering For An Email Address Or Domain In Office 365.
- Error Joining Device To Active Directory. Event ID 4097.