Table of Contents
A digital certificate is issued by a Certification Authority (CA) that is deployed and managed within the organization’s local Active Directory infrastructure. You can also have public certificates issued by external CA’s commonly used to secure websites.
However, In this blog post, we will discuss different error messages you may get when we request a certificate from a local certificate authority (Active Directory Certificate Services).
However, some other errors are related to the certificate types. You may get any of the error messages. Each will have a different solution.
To request a certificate from a certificate authority, you need to follow below steps:
- Press the Windows key + R together to open the Run box.
- Type certlm.msc to open Local machine level Certificate request snap-in.
- Type certmgr.msc to open the Certificate request snap-in in the user context.
- Right-click on Personal > Click on All Tasks > Request New Certificate.
- On the Certificate Enrollment page. Click on Next.
- The default selection on the Select Certificate Enrollment Policy page will be Active Directory Enrollment Policy. Click on Next to proceed.
You may get the message that Certificate types are not available.
You cannot request a certificate at this time because no certificate types are available. If you need a certificate, please contact your administrator.
Error
Reason for Certificate types are not available Error
The issue described could occur when a root certificate is not installed on the device from which you’re requesting a certificate. When you deploy a new certificate authority in your Active Directory infrastructure, you must distribute the root certificate across all your client devices. This distribution is necessary to establish trust between your client devices and the certificate authority (CA).
Fix Certificate types are not available Issue
You have several methods for distributing the root certificate, including group policies, PowerShell scripts, Microsoft Intune, and more.
You can export the root certificate from your Certificate Authority by following these steps:
- Open certlm.msc (Certificate Manager) on the CA server.
- In the left pane, navigate to the Trusted Root Certification Authorities folder.
- Select the root certificate you want to export.
- Right-click on the selected certificate.
- Choose All Tasks and then Export
Import the root certificate on the device from which you request certificates from the CA and initiate another certificate request. This time, you will not see that the error message Certificate types are unavailable.
After addressing the issue of the unavailable certificate types, you can access the Request Certificates page without further problems. However, if you encounter other errors or issues related to certificate requests, those can be addressed in subsequent sections or troubleshooting steps.
When you access the Request Certificates page, you will find a list of available certificates for enrollment. To view all available certificate templates from the Certificate Authority, click on the checkbox labeled Show all templates.
However, you may notice that some templates have a status of Unavailable, and a reason will be provided under the Status column explaining why the template is not available for enrollment. This status and the reason will help you understand why certain certificate templates are unavailable.
Let’s check the different Status messages and see their solutions:
Error 1: This type of certificate can be issued only to a computer
The error message This type of certificate can be issued only to a computer, which typically indicates that you are attempting to request or enroll for a certificate specifically designed for computer accounts, but the request is being made for a user or service account.
For Example, Let’s say you want to enroll in a computer certificate but request a certificate for a user account. This could happen when you are using a User Certificate snap-in. User Certificate snap-in can be opened using certmgr.msc.
- Press the Windows key + R together to open the Run box.
- Type certmgr.msc to open certificate request snap-in in the user context.
- Right-click on Personal > Click on All Tasks > Request New Certificate.
Click on Show all templates to see all the available templates from CA. As you can see from the screenshot below, you cannot select the Computer certificate template. Its status shows as Unavailable, and the reason is listed below the status: The specified role was not configured for the application. This type of certificate can be issued only to a computer.
To Fix this issue, open the Certificate snap-in from your Computer account. I normally prefer a shortcut to open the local machine Certificate Snap-in using Certlm.msc. To open local machine Certificate Snap-in, please follow the below steps:
- Press the Windows key + R together to open the Run box.
- Type certlm.msc to open machine-level Certificate request snap-in.
- When you open the Certificates snap-in for the computer and request the certificate, you can see that the Computer template is now available for Enrollment.
Error 2: This type of Certificate can be issued only to a user
Like Error 1, you could also find a Certificate template status unavailable with an error message This type of certificate can be issued only to a user. To Fix this issue, request the certificate from a Certificate snap-in opened in the user context. To open the User Certificate snap-in, please follow the below steps:
- Press the Windows key + R together to open the Run box.
- Type certmgr.msc to open user-level Certificate request snap-in.
Error 3: You do not have permission to request this type of certificate
The error message You do not have permission to request this type of certificate typically occurs when you’re trying to request a certificate that your user account or system does not have the necessary permissions.
For example, I tried to request a Web Server certificate for my computer using a Computer Certificates snap-in. As the template was not showing in the list, I clicked on the Show all templates checkbox to reveal all Certificate templates. I scrolled down in the list to find the Web Server Certificate template.
However, the Web Server template Status was Unavailable with the error The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate.
We need to allow enrollment permissions on the web server template for this computer on the CA to fix this issue. So that this computer can enroll and create the certificate. Let’s check the steps:
- Log in to the Certificate Authority Server with administrator rights.
- Press the Windows key + R together to open the Run box.
- Type certsrv.msc and press Enter to open the Certificate Authority Console.
- Right-click on the Certificate Templates folder and click on Manage.
- Find the Web Server certificate template and right-click on it. Select Properties.
- Click on Add to add your computer account requesting the Web server certificate. Select the computer account and check Allow permission for Enroll.
- Go back to the computer and request a Web Server certificate this time. The Web Server certificate template is now available to select from the TP-DC1 server.
Error 4: A valid certification authority (CA) cannot be located or the CA is not trusted
Another error you may see is related to the Certificate Authority when a client requesting a certificate cannot locate the CA or is not trusted.
The exact error message is “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. A valid certificate authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.“
Error
To Fix this issue, you will need to make sure that the Root certificate of Certificate Authority is installed in the Trusted Root Certification Authorities Folder on the client who is requesting a certificate. Once it’s installed, try to request the certificate again. This time, you will not see this error.
Conclusion
In this blog post, we’ve discussed various error messages that can occur when requesting a certificate from a local Active Directory Certificate Authority (CA) and how to resolve each error.
It’s crucial to ensure that the root certificate is installed on all client computers to establish trust between clients and the CA and ensure the completeness of the certificate chain. We hope this article helps resolve many issues you may encounter when requesting certificates.
