The permissions on the certificate template do not allow the current user to enroll for this type of certificate

When requesting an SSL certificate from Active Directory Certificate Services, the process may fail due to a lack of permission for the Web Server template or a template derived from it. This issue can be particularly confusing when the user has administrative privileges.

Author
Recent Posts

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Latest posts by Wolfgang Sommergut (see all)

Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023

When a certificate is requested from certlm.msc or the Certificates Snap-in for the local computer, the certificate registration wizard does not display the Web Server template or more modern alternatives in the template list.

Request certificate from certlm.msc_

If you then select the Show all templates checkbox, you will see them, but their status will be Unavailable and accompanied by the following message:

The permissions on the certificate template do not allow the current user to enroll for this type of certificate.

When displaying all templates the template Web Server shows the status Unavailable

If you request the server certificate from certmgr.msc, you will find the following message:

The specified role was not configured for the application. This type of certificate can be issued only to a computer.

Granting permission to the computer

This error message already contains a hint about the problem's cause and solution. The missing permission does not pertain to the user running certlm.msc but rather to the computer from which the certificate is being requested.

Accordingly, it is necessary to grant the required permission to this computer for the template. To do so, launch certtmpl.msc and open the properties of the relevant template. There, switch to the Security tab and click Add.

If you only want to add a single computer to the list, click the Object types button in the following dialog box, and check the box for computers.

Assigning permission to a certificate template for an individual computer

Next, return to the previous dialog box and enter the name of the computer object in the relevant field. Here, you would typically specify a group that contains the computers you want to authorize.

Once the computers appear in the list on the Security tab, select them and assign them both the Read and Enroll rights.

Granting the Enroll right to the computer object

When you complete this process, the computer should have the necessary permissions so that the next time a CSR is run, the Web Server template will appear as Available in the list.

After the permission is assigned to the local computer the template will appear in the CSR wizard

Summary

When you request a server certificate from Active Directory Certificate Services, the template may display a status of Unvailable, accompanied by a reference to missing permissions. These permissions, however, pertain not to the user but to the computer from which the request is made. This computer must therefore be granted the necessary rights to the template in certtmpl.msc.