Requesting a certificate fails with the error message "You cannot request a certificate at this time because no certificate types are available."

Assume the following scenario:

  • You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
  • To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
  • The logged-in user also has the necessary permissions to request certificates from the certificate template in question (enroll).
  • You don't get any certificate templates to choose from, even though they are correctly published on the certificate authorities.
  • There is also no "Show hidden templates" option. This usually appears at the bottom left of the dialog.
  • The following error message is displayed:
Certificate types are not available. You cannot request a certificate at this time because no certificate types are available. If you need a certificate, contact your administrator.

Possible causes:

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem and is available under a free license. It can downloaded via GitHub and can be used free of charge.

Possible causes can be:

  • An enrollment policy is configured that points to an invalid address.
  • No certificate templates are available for the current user context when requesting via the certificate enrollment web services.
  • No compatible certificate templates are available when requesting via the Certificate Enrollment Web Services.

Details: An enrollment policy is configured that points to an invalid address.

The absence of the option "Show hidden templates" can be an indication that already the query of the certificate templates from the Active Directory fails.

By default, the enrollment policy references the GUID of the Active Directory forest. For example, if a group policy is imported from a test environment, the GUIDs no longer match and the certificate templates cannot be retrieved.

Details: No certificate templates are available for the current user context when requesting via the certificate enrollment web services.

If the request is made via the certificate registration web services (CEP, CES), it should be checked whether a certificate template is published at all for the current context (computer or user certificate store). In contrast to the request via RPC/DCOM, the "Show hidden templates" option is also not available in this case.

Details: No compatible certificate templates are available when requesting via the certificate enrollment web services.

There is a known bug in the Certificate Enrollment Web Service (CEP) that causes certificate templates whose compatibility is set to Windows 10 or Windows Server 2016 not to display. For more details, see the article "Certificate Enrollment Policy Service does not display certificate templates configured for compatibility with Windows Server 2016 or Windows 10„.

In this case, the certificate template compatibility must be configured on Windows Server 2012 R2 or smaller, if possible.

Related links:

External sources

en_USEnglish