HI, I have deployed a Stand alone Root CA (Windows 2008 R2 Ent); and now would like to deploy the Online Issuing Subordinate (Windows 2008 R2 Ent). So on another computer I install the SubCA, and save the request to a file. On the RootCA, I duplicate the "Subordinate Certification Authority" template, so that I can extend its life to 10 years. I verify that Domain and Enterprise Admins have Read, Write and Enroll permissions on the new template. Authenticated Users have Read permissions. I then issue the new template, and can see it in the ADCS snap-in. The Root CA is started and running. When I try to submit the request for the SubCA (using the text request file copied from the Subordinate) I get the following error message: "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392). Denied by Policy Module 0x80094800. The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: SubCA" I have tried both the Windows 2003 and 2008 template versions - with the same results. If I use the default built-in Subordinate CA template then it works (but it only gives me 5 years). Any ideas on how to resolve this? Thank you, SK

1) it seems you have an Enterprise Root CA, not Standalone. This is because Standalone CAs don't use certificate templates at all. 2) you receive this message because certificate template name for subordinate CA is hardcoded. In this case you need to configure your subordinate CA CAPolicy.inf to use custom template: http://blogs.technet.com/b/instan/archive/2009/01/14/using-a-custom-template-for-subordinate-ca-s.aspxMy weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com

Vadims, Yep - a rookie mistake ! I had the incorrect Root CA. Thank you