I tried to Issue a certificate on the Windows 2008 Enterprise installed as a Domain Controller with Certificate Authority installed but it came up with the following error.The request contains no certificate template information 0x80094801 (-2146875391). Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute. The certificate was issued through the IIS7 on the same machine.I tried the following work aroundhttp://technet.microsoft.com/en-us/library/cc783835.aspxBut still got the same error. I tried to use the web certsrv but since the web site is not HTTPS enabled, I can't use that, I can only go through the MMC to request Certificates.Any ideas why this does not work?

I think enterprise ca's require certificate template information. What steps did you do to create the certificate request and submit it to the ca?If you are trying to obtain an SSL server cert then you can always use the MMC to request a "WebServer" certificate for the computer and bind that certificate in IIS.You may also consider submitting the certificate request to a standalone ca OR creating the certificate request using the "certreq" tool.Andrew

I think enterprise ca's require certificate template information. What steps did you do to create the certificate request and submit it to the ca?If you are trying to obtain an SSL server cert then you can always use the MMC to request a "WebServer" certificate for the computer and bind that certificate in IIS.You may also consider submitting the certificate request to a standalone ca OR creating the certificate request using the "certreq" tool.Andrew

The problem I have is because I am using Enterprise CA where Standalone CA does not use certificate template, certreq fixed the problem I have.http://support.microsoft.com/default.aspx/kb/910249In Microsoft Windows Server 2003, when you use the Certification Authority Microsoft Management Console (MMC) snap-in to submit a certificate signing request (CSR) to an enterprise certification authority (CA), you may receive the following error message: Certificate Request Processor The request contains no certificate template information. 0x80094801 (-2146875391) Denied by Policy Module 0x80094801, the request does not contain a certificate template extension or the Certificate Template request attribute. The message indicates that there is no certificate template information in the request. However, there is no option in the Certification Authority MMC snap-in to select a certificate template. Note Stand-alone CAs do not use certificate templates. Therefore, this issue occurs only when you use the Certification Authority MMC snap-in to request a certificate from an enterprise CA.

You say the following: "The message indicates that there is no certificate template information in the request. However, there is no option in the Certification Authority MMC snap-in to select a certificate template. "To request a certificate, you should be using the certmgr snap-in. For Vista and below, if you are domain joined you should be able to select a certificate template after you select "Request New..." from the right click menu of the "Personal" folder.Andrew

You say the following: "The message indicates that there is no certificate template information in the request. However, there is no option in the Certification Authority MMC snap-in to select a certificate template. "To request a certificate, you should be using the certmgr snap-in. For Vista and below, if you are domain joined you should be able to select a certificate template after you select "Request New..." from the right click menu of the "Personal" folder.Andrew

I am not able to select the Web Server template (after you select "Request New..." from the right click menu of the "Personal" folder) because it says "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to view this type of certificate."I am login as the domain administrator with local admin rights of the machine which is the DC and CA of the domain. I am loggin as the same user and it works on the console but not the snap-in, any reasons why?

Hi, Before we go further, I suggest we try to configure the web CA service. 1. Add http://localhost/certsrv to your Trusted sites. 2. Open Internet Options, switch to Security tab, click Trusted sites, move the slide bar to bottom. Click OK. 3. Try to visit http://localhost/certsrv and request new certificate. Please let us know which template you choose to request and detailed error message if any. 4. If we still cannot get the certificate, please let us know how did you configure the Certificate Template. 5. Run "certutil template >>c:\ca.txt" and send c:\ca.txt file to tfwst@microsoft.com for research. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

If I have already created the certificate requestand just submitting it, it works fine when I select "Submit a certificate by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file". I choose the "WebServer" template.If I do "Create and submit a request to this CA", I get the error"In order to complete certificate enrollment, the web site for the CA must be configured to use HTTPS authentication"So the question still remains with MMC as I am not able to select the Web Server template (after you select "Request New..." from the right click menu of the "Personal" folder) because it says "The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to view this type of certificate."

Hi, I understand you can get a certificate if you have already created a request, but there is still error when trying to submit from MMC. This issue may be caused by incorrect Certificate Template permission settings. Lets give Authenticated user Enroll permission: 1. Open MMC, click File menu, choose Add/Remove Snap-in, choose Certificate Templates, click OK. 2. Double-click Web Server template, switch to Security tab, selected Authenticated users, click Enroll option. Click OK. 3. Open CA console, stop CA service and restart it. 4. Try to open MMC->Certificates of Local Computer, try to request Web Server certificates. At the same time, we can disable IE SEC and change IE security settings to bypass HTTPS requirement. To do so: 1. Open Server Manager, click Server Manger in the left panel, click Configure IE SEC in the right panel. 2. Click Off at least for administrator. Click OK. 3. Open Internet Options, switch to Security tab, click Trusted sites, move the slide bar to bottom. Click Local intranet, move the slide bar to bottom, click OK. 4. Restart IE and try to visit http://localhost/certsrv, you should be able submit request. If there is any error, please let us know the detailed error message. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

For the first section, I can see the WebServer check box appears in the Certificate MMC for requesting new certificate request, but when I select it, the enroll button does not get enabled. All the others Domain Controller, Domain Controller Authentication enabled the Enroll button when I select it. Even if I select Domain Controller then WebServer it gets disabled, actually disables it after it was enabled.For the web section, it works as you described and I am able to generate and install the certificate and save the certificate request.Let me know what you think about the first section.

Hi, Glad to hear you could request certificate from CA web service. Based on my test, the Enroll button disabled in MMC Certificate Enrollment window may be caused by lack of enough information. Under Web Server template in Certificate Enrollment window, there should be a Yellow triangle, click it. If there is yellow triangle, click Detailed button, click Properties, switch to Subject tab, in the subject name section, choose Common name or Title or any option, type a valid Value, click Add, click OK. The Enroll button should be activated. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

Great, that was it. Thanks for your help.

It doesn't display web server template by default, because you connect to "certificates" snap-in as a computer account. Which is funny, because you can't enroll web server certficicate as a user account (role not meant for that), and only domain admins [not computers] have access to web server enrollment by default.Which makes me wonder what's the proper way to enroll a web server certificate on w2k8..

It depends on what type oF CA you are using for the symantics of the submission.1) generate the request using the IIS Manager console 2) For Enterprise CAs, use the Domain Certificate request option (this does a direct submission to the CA, hard-coded for the Web Server certificate template. Just change permissions to allow a custom global or universal group Read and Enroll permissions3) For standalone CAs, use the certificate request, this creates a PKCS#10 request, that must be submitted to the CA. (You can also do this for an enterprise CA). Then submit the request using certreq or the Web enrollment pages. (submitting a PKCS#10 request) and selecting the associated certificate template if submitting to an enterprise CA. (this method allows you to use a custom certificate template rather than Web Server).4) COmplete the request at the IIS Manager console.Brian

Hi,We are working on an authentication application whereby user will be authenticated against Microsoft Active Directory server. The server has to be set up with an X.509 SSL server certificate and has SSL enabled.I am trying to generate an SSL certificate using the process described inhttp://support.microsoft.com/kb/321051 ;In this process a .inf file is created and is used to create a .req file which in turn is submitted to CA to generate a certificate. My .req file gets created successfully but when I submit that file to CA, I get an error saying "The request contains no certificate template information.................."I don't know how to "request Web Server certificates........." as given in the solution above because I do not get any such option. I also went through the http://technet.microsoft.com/en-us/library/bb727068.aspx;I am able to generate the certificate, but I do not get any option to install the certificate. ( Click Install Certificate to install the certificate to the certificate store....)Any solutions, please let me know.Regards

To use the method described in the KB article to submit a request to an Enterprise CA you need to add the following to the INF file: [RequestAttributes]CertificateTemplate=WebServer Paul Adare CTO IdentIT Inc. ILM MVP

Just try this in the commandline: certreq -submit -attrib „CertificateTemplate:Webserver“ <certrequest.req-file> where the <certrequest.req-file> is the whole path and filename to your request file