Hi Anyone;

We have root CA offline and Sub ca that have also installed NDES.   Two certificates expired CEP Encryption and Exchange Enrollment Agent (Offline).    When I try to renew the certificate through the Certificate MMC,   I get any error "the permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate."   I am logged on the sub CA with my domain admin account.   I checked the template and the Domain Admin has read/write and enroll" authority.  The server is 2008r2 Enterprise version

You are not using the correct accounts.

- The Exchange Enrollment Agent (Offline Request) certificate must actually be renewed in the security context of the NDES service account (and moved to the computer store).  (see https://support.microsoft.com/en-us/kb/2712186?wa=wsignin1.0)

- The CEP Encryption certificate must be renewed for the Certificates MMC focused on the location computer (NDES server computer account)

- The permissions must be set to allow the referenced accounts Read and Enroll permissions on the certificate templates.

- The previous certificates must not be expired. The renewal requires signing the request with the previous certificate

You need to do new requests

Brian

• Proposed as answer by Brian Komar [MVP]MVP 5 hours 31 minutes ago