You do not have permission to request this type of Certificate at Certificate Renew

Today I got this error while I tried to renew a certificate:

The permissions on the certificate template do not allow the current user to enroll this type of certificate. You do not have permission to request this type of Certificate

Certificate Renew You do not have permission to request this type of Certificate

Apparently I had to assign Enroll permissions to the Certificate template security for the computer requesting the certificate.

Fix You do not have permission to request this type of Certificate error

To fix the permissions so you can request this type of Certificate, follow the steps below. To make it easy for you, I added some screenshots with numbers that correspond to the steps.

  1. Locate a Certificate server in your environment. This is e.g. a root or intermediate certificate server.
  2. On the Certificate Authority server, open Certification Templates Console. This is a MMC, so it’s easiest to just run certtmpl.msc
  3. Find the Template. Right-click and click Properties (1)
  4. In the Web Server properties, click tab Security (2)
  5. You probaby need a server certificate (almost 100% for sure :) ). In that case you first need to add the computer to the list of Group and user names. Therefore, click Add (1) -> Object Types… (2) -> select the Computers checkbox (3) -> click OK -> find the computer in the Select Users, Computers, Service Accounts, or Groups window, and click OK.
    In case you need a user certificate, add the user to the Security box.
    Certificate Template Add computer to security
  6. Back in the Web Server properties window, got to tab Security.
    Select the computer you just added and enable the checkboxes Read, Write and Enroll (3)
  7. Click OK. Try to renew or request the certificate from the computer once again.

Set Permissions on Certificate Template

After I added the computer to the Certificate Template security with the appropriate Enroll permissions, I was able to renew my certificate.
Please note that this solution, as described above, may very well be not the best or most secure way to solve the problem. However, I have read people adding the computer to the Enterprise Admins group. Only to fix this issue. That’s 100% worse. ;-)
When finished, it’s OK to remove the computer from the Security of the Certificate Template. The permissions are only necessary to deploy the certificate.

Renew Certificate Available Template

For more information about setting up Certificate Templates or autoenrollment, visit:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-server-certificate-template
and
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

 

5 1 vote
Article Rating
Subscribe
Notify of
guest
8 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Moe

Big thank you :)

Arshad

Thanks a Lot Lot Lot!

shailender

Yes, it helped me as well as its a temporary fix to add computer and after import remove it from security tab. Good idea. I faced same issue during sccm 1910 installation.

Radhakrishnan

Thaks, it helped me as well

Bob

That worked perfectly. Thanks!

Shishir Singh Chandrawat

Hi Guys,

I got this error because my new CA server certificate wasn’t added to the trusted root authority of the requesting client yet. to validate, I manually imported cert in one of the client and it worked fine and then as a solution I added the trusted CA cert via the default domain policy in the domain.

thanks
Shishir Chandrawat

Masashi

Thank you. You saved my life

Juan

it was perfect. Thanks you. Addicionally the procedure is detailed.

8
0
Would love your thoughts, please comment.x
()
x