Assume the following scenario:
- Machines are configured by group policy to request certificates for the remote desktop session host.
- However, the certificates are not applied for or existing certificates expire without renewal.
- In the event log of the affected system, the event with ID 1064 of the source Terminalservices-RemoteConnectionManager is logged:
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occurred: The requested certificate template is not supported by this CA.
Under certain circumstances, the Event with ID 52 of source Microsoft-Windows-CertificateServicesClient-CertEnroll logged.
Cause
Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.
It is recommended to work with autoenrollment for Remote Desktop certificates and not via certificate application by the Remote Desktop session host. For more details, see the article "Configuring a Certificate Template for Remote Desktop (RDP) Certificates„.
The error message "The requested certificate template is not supported by this CA." is misleading. The underlying cause in most cases is one of the following:
- The certificate template is not published on any certification authority
- There is no trust status to the certification authority
Details: The certificate template is not published on any certification authority
If the certificate template configured in the group policy is not published on any certificate authority, no certificate request can be made. It is also important to check whether the name of the certificate template has been entered correctly in the group policy.
Details: There is no trust status to the certification authority
This is usually the case when the root CA certificate has not been distributed to the clients or the certificate chain cannot be completed to the root CA.
The trust status to the certification authority hierarchy must be established. See the following articles:
- Certificate request fails with error message "The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)."
- Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".
- The local certificate store for trusted root certificate authorities is not synchronized from Active Directory
English 
Deutsch