Requesting a Trusted Platform Module (TPM) protected certificate fails with error message "The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)"

Assume the following scenario:

• A certificate template is configured to use the Microsoft Platform Crypto Provider, so the private key generated when the certificate is requested is protected with a Trusted Platform Module (TPM).
• However, certificate request fails with the following error message:

An error occurred while enrolling for a certificate.
A certificate request could not be created.
Url: CA02.intra.adcslabor.de\ADCS Lab Issuing CA 1
Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

Cause

The NTE_NOT_SUPPORTED error message occurs when generating the private key. If private key export is allowed in the certificate template, this will fail when using the Microsoft Platform Crypto Provider because it logically does not support key export.

Changing the certificate template with the Certificate Authority Management Console can result in the pKIDefaultCSPs attribute being reset or changed and no longer defaulting to the Microsoft Platform Crypto Provider. Therefore, after each change to the certificate template, check that the attribute is set as desired (see the article "Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).„).

Related links:

• Requesting a certificate protected by a Trusted Platform Module (TPM) - without owning a TPM
• Configuring the Trusted Platform Module (TPM) Key Attestation
• Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).