Requesting a Trusted Platform Module (TPM) protected certificate fails with error message "The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)"

Assume the following scenario:

• A certificate template is configured to use the Microsoft Platform Crypto Provider, so the private key generated when the certificate is requested is protected with a Trusted Platform Module (TPM).
• However, certificate request fails with the following error message:

An error occurred while enrolling for a certificate.
A certificate request could not be created.
Url: CA02.intra.adcslabor.de\ADCS Lab Issuing CA 1
Error: The requested operation is not supported. 0x80090029 (-2146893783 NTE_NOT_SUPPORTED)

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The error message NTE_NOT_SUPPORTED occurs when the private key is generated. If an export of the private key is permitted in the certificate template, this will be displayed when using the Microsoft Platform Crypto Provider will fail, as this does not logically support key export.

Changing the certificate template with the Certificate Authority Management Console can result in the pKIDefaultCSPs attribute being reset or changed and no longer defaulting to the Microsoft Platform Crypto Provider. Therefore, after each change to the certificate template, check that the attribute is set as desired (see the article "Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).„).

Related links:

• Basics: Cryptographic Service Provider (CSP) and Key Storage Provider (KSP)
• Requesting a certificate protected by a Trusted Platform Module (TPM) - without owning a TPM
• Configuring the Trusted Platform Module (TPM) Key Attestation
• Configure a certificate template to use the Microsoft Platform Crypto Provider to enable private key protection through a Trusted Platform Module (TPM).