Requesting a certificate fails with the error message "You cannot request a certificate at this time because no certificate types are available."

Assume the following scenario:

• You try to apply for a certificate from an Active Directory-integrated certification authority (Enterprise Certification Authority).
• To do this, use the Microsoft Management Console (MMC), either for the logged-in user (certmgr.msc) or for the computer (certlm.msc).
• The logged-in user also has the necessary permissions to request certificates from the certificate template in question (enroll).
• You don't get any certificate templates to choose from, even though they are correctly published on the certificate authorities.
• There is also no "Show hidden templates" option. This usually appears at the bottom left of the dialog.
• The following error message is displayed:

Certificate types are not available. You cannot request a certificate at this time because no certificate types are available. If you need a certificate, contact your administrator.

Possible causes:

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

Possible causes can be:

• Communication with the Active Directory is not possible
• An enrollment policy is configured that points to an invalid address.
• No certificate templates are available for the current user context when requesting via the certificate enrollment web services.
• No compatible certificate templates are available when requesting via the Certificate Enrollment Web Services.

Details: Communication with the Active Directory is not possible

The absence of the "Show hidden templates" option may be an indication that the Query the certificate templates from the Active Directory fails.

You should therefore first check whether the computer and user in question can communicate with the Active Directory. The first point of contact is the event display on the computer in question.

Details: An enrollment policy is configured that points to an invalid address.

The absence of the "Show hidden templates" option may be an indication that the Query the certificate templates from the Active Directory fails.

By default, the enrollment policy refers to the GUID of the root domain of the Active Directory forest.

For example, if a group policy is imported from a test environment, the GUIDs no longer match and the certificate templates cannot be retrieved.

A report on the configured group policies can be created with the following command:

gpresult /scope:user /H filename.html

gpresult /scope:user /H filename.html

You can then search for the term "Enrollment Policy" in the HTML files generated.

The GUID of the root domain of the Active Directory forest can be queried with the following PowerShell command (requires Active Directory PowerShell module):

(Get-ADForest | Select-Object -ExpandProperty RootDomain | Get-ADDomain).ObjectGUID

Alternatively, this can also be determined via the Active Directory Users and Computers (dsa.msc) management console. To do this, right-click on the root domain of the overall structure, select Properties and search for the value objectGUID in the "Attribute Editor" tab.

Details: No certificate templates are available for the current user context when requesting via the certificate enrollment web services.

If the request is made via the certificate registration web services (CEP, CES), it should be checked whether a certificate template is published at all for the current context (computer or user certificate store). In contrast to the request via RPC/DCOM, the "Show hidden templates" option is also not available in this case.

Details: No compatible certificate templates are available when requesting via the certificate enrollment web services.

There is a known error in the Certificate Enrollment Policy Service (Certificate Enrollment Web Service, CEP)which means that certificate templates whose compatibility is set to Windows 10 or Windows Server 2016 are not displayed. For more details, see the article "Certificate Enrollment Policy Service does not display certificate templates configured for compatibility with Windows Server 2016 or Windows 10„.

In this case, the certificate template compatibility must be configured on Windows Server 2012 R2 or smaller, if possible.

Related links:

• Basics of manual and automatic certificate requests via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM) with the MS-WCCE protocol
• Certificate request basics via Certificate Enrollment Web Services (CEP, CES)
• Requesting a certificate fails with the error message "A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted."

External sources

• Cannot select Windows Server 2016 CA-compatible certificate templates from Windows Server 2016 or later-based CAs or CEP servers (Microsoft)