000034892 - RSA Authentication Manager 8x certificate request fails on Microsoft Certificate Authority: no certificate template

Document created by RSA Customer Support Employee on Mar 14, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034892
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2

Taking an Authentication Manager-generated Certificate Signing Request (CSR) for either Console of Web Tier replacement certificates, and submitting it directly to the Microsoft Certificate Authority (CA) gives the following error:

Certificate Request Processor
The request contains no certificate template information. 0x80094801
(-2146875391 CERTSRV_E_NO_CERT_TYPE)
Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.


MS CA error
CauseThe Microsoft Certificate Authority is not using any certificate template, either through its MMC plug-in or via the web interface.  It is possible this error is caused by a Certificate Template permission issue on the CA.


  • Give authenticated users enroll permission to Certificate Templates.
  • Add the Certificate Template plug-in to the MMC for your CA.
  • Use the command line to submit the RSA CSR with a Certificate Template.

Give authenticated users Enroll permission to the Certificate Templates

This issue may be caused by incorrect Certificate Template permission settings. Give authenticated users enroll permission:
  1. Open the MMC.  From the File menu, choose Add/Remove Snap-in.  
  2. Choose Certificate Templates
  3. Click OK
  4. Double-click the Web Server template.  
  5. Switch to the Security tab.
  6. Select Authenticated users.  
  7. Click on the Enroll option.
  8. Click OK.
  9. Open the CA console.
  10. Restart the CA service. 
  11. Open the MMC and select Certificates of Local Computer.  Try to request Web Server certificates. 
  12. At the same time, we can disable Internet Explorer Sec and change the browser security settings to bypass the HTTPS requirement. To do so:
    1. Open  Server Manager.
    2. Click Server Manger in the left panel.
    3. Click Configure IE SEC in the right panel.
    4. Click Off at least for administrator.  
    5. Click OK
    6. Open Internet Options, select the Security tab.
    7. Click Trusted Sites.  
    8. Under Security level for this zone and move the slide bar to Low.
    9. Click Apply.
    10. Click Local intranet and move the slide bar to Low.
    11. Click OK
    12. Restart Internet Explorer and try to visit http://localhost/certsrv.  You should be able submit the request.

Add the Certificate Template plug-in to the MMC for your CA 

A web search found a site that said you might add/modify certificate templates into the MMC plugpin.
  1. Open the MMC.
  2. Select Add Remove SnapIn > Certificate Templates.
  3. Locate the Web Server certificate template at the bottom.  
  4. Right click and select Properties.
  5. Click the Security tab.
  6. Click Add > Type=Computer.  
  7. Enter the computer/server name.

Use the command line to submit the RSA CSR with a Certificate Template

Another website suggests using the command line to submit the RSA CSR, but that would include knowing which template to use.  The syntax would be something like this:
certreq -submit -config "<configuration file>" -attrib "CertificateTemplate:<certificate>" <file_from_AMt>.csr
WorkaroundThe last option to use as a workaround is to use a third-party tool to generate the CSR for Authentication Manager.  For more information, review 000033948 - How to replace an RSA Authentication Manager 8.x console SSL certificate without a Certificate Signing Request (CSR) from the Operations Console.