Certificate Renew You do not have permission to request this type of Certificate
IT operationsTechnology

You do not have permission to request this type of Certificate at Certificate Renew

Posted on by Jiajie

The permissions on the certificate template do not allow the current user to enroll this type of certificate. You do not have permission to request this type of Certificate

Certificate Renew You do not have permission to request this type of Certificate

Apparently I had to assign Enroll permissions to the Certificate template security for the computer requesting the certificate.

Fix You do not have permission to request this type of Certificate error

To fix the permissions so you can request this type of Certificate, follow the steps below. To make it easy for you, I added some screenshots with numbers that correspond to the steps.

  1. Locate a Certificate server in your environment. This is e.g. a root or intermediate certificate server.
  2. On the Certificate Authority server, open Certification Templates Console. This is a MMC, so it’s easiest to just run certtmpl.msc
  3. Find the Template. Right-click and click Properties (1)
  4. In the Web Server properties, click tab Security (2)
  5. You probaby need a server certificate (almost 100% for sure 🙂 ). In that case you first need to add the computer to the list of Group and user names. Therefore, click Add (1) -> Object Types… (2) -> select the Computers checkbox (3) -> click OK -> find the computer in the Select Users, Computers, Service Accounts, or Groups window, and click OK.
    In case you need a user certificate, add the user to the Security box.
    Certificate Template Add computer to security
  6. Back in the Web Server properties window, got to tab Security.
    Select the computer you just added and enable the checkboxes Read, Write and Enroll (3)
  7. Click OK. Try to renew or request the certificate from the computer once again.

Set Permissions on Certificate Template

After I added the computer to the Certificate Template security with the appropriate Enroll permissions, I was able to renew my certificate.
Please note that this solution, as described above, may very well be not the best or most secure way to solve the problem. However, I have read people adding the computer to the Enterprise Admins group. Only to fix this issue. That’s 100% worse. 😉
When finished, it’s OK to remove the computer from the Security of the Certificate Template. The permissions are only necessary to deploy the certificate.

Renew Certificate Available Template

For more information about setting up Certificate Templates or autoenrollment, visit:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-the-server-certificate-template
and
https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

Leave a Reply

Your email address will not be published. Required fields are marked *