๐ Secure Bits ๐ก
Weird ๐ถ๐๐๐๐ฒ๐ ๐๐ถ๐๐ต ๐๐๐๐ผ ๐๐ป๐ฟ๐ผ๐น๐น๐บ๐ฒ๐ป๐ in Microsoft CA? Hereโs one that cost me hours.
I recently set up a ๐ณ๐ฟ๐ฒ๐๐ต ๐๐๐๐๐ถ๐ป๐ด ๐๐ on Windows Server 2025 in a brand-new Active Directory domain:
โ๏ธ Auto-enroll GPO? โ
โ๏ธ Certificate template published & configured for domain computers? โ
โ๏ธ ACLs set up? โ
๐ฌ๐ฒ๐ โ ๐ป๐ผ ๐ฐ๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ. Not after a reboot. Not after waiting. Nothing.
After ๐ต๐ผ๐๐ฟ๐ ๐ผ๐ณ ๐๐ฟ๐ผ๐๐ฏ๐น๐ฒ๐๐ต๐ผ๐ผ๐๐ถ๐ป๐ด, I stumbled upon Uwe Gradeneggerโs great blog:
๐ https://www.gradenegger.eu/en/the-request-for-a-certificate-fails-with-the-error-message-the-requested-certificate-template-is-not-supported-by-this-ca/
๐๐ฒ๐ฟ๐ฒโ๐ ๐๐ต๐ฎ๐ ๐๐ฎ๐ ๐๐ฟ๐ผ๐ป๐ดย โฌ๏ธ
๐ฅ The ACL about who can actually request certificates ๐ผ๐ป ๐๐ ๐น๐ฒ๐๐ฒ๐น was not synced.
๐ฅ๐ฒ๐พ๐๐ฒ๐๐ ๐๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ๐ ๐๐๐ (๐๐ป๐ฟ๐ผ๐น๐น) ๐๐ต๐ผ๐๐น๐ฑ ๐ฏ๐ฒ ๐ถ๐ป ๐๐๐ผ ๐ฝ๐น๐ฎ๐ฐ๐ฒ๐:
1๏ธโฃ The registry of the CA (you can see this in CA console)
2๏ธโฃ The Configuration partition in Active Directory (query this with certutil)
Somehow โ and I still donโt know why โ the AD Config partition was ๐บ๐ถ๐๐๐ถ๐ป๐ด the Request Certificates ACE (Enroll) for Authenticated Users.
โ
Re-added the Read + Enroll rights
โ
Waited a minute
โ
Auto-enroll worked perfectly
Just wanted to share this with you โ in case you ever run into the same headache.
