Avatar of tfinding
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Automatic certificate enrollment for local system failed (0x800b0101)


One of clients has a very simple domain, with 2 x W2008 R2 Domain Controllers and an Exchange Server 2010 server.

For some reason the Exchange server is the Certification Authority and 2 of the certificates expired in December 2015.

The Domain Controller now gets;

  -  Event ID: 64 - Certificate for local system with Thumbprint xxxxxxxxxx  is about to expire or already expired
  -  Event ID: 6 - Automatic certificate enrollment for local system failed (0x800b0101) A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
  -  Event ID: 13 - Certificate enrollment for Local system failed to enroll for a DomainControllerAuthentication certificate with request ID N/A from "ServerName01-CA" (A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)).

and the same Event ID: 13 for a "DirectoryEmailReplication" certificate.

It seems relatively simple, that the certs have expired and, as we can't renew, we have to create new ones, but I'm unsure how to go about this.

Any pointers would be appreciated.

Thanks in advance.
Windows Server 2008Active DirectorySecuritySSL / HTTPS

Avatar of undefined
Last Comment

8/22/2022 - Mon
Hypercat (Deb)

What are the certs being used for?  If they're being used for Exchange, the easiest way to renew them would be to do it on the Exchange server.  You can use Powershell to do this. Here's an article that runs through the steps:


Hi Hypercat

Many thanks for your comment. They are not Exchange but Domain certificates;

  -  Domain Controller Authentication
  -  Directory Email Replication

The reasoning for the mention of Exchange is because the CA is installed on the Exchange Server (not sure why).

The errors are on the Domain Controller.
Hypercat (Deb)

Have you rebooted the server recently?  If not, try that first, since it may renew automatically when you restart.

Otherwise, you should be able to renew it using the Certificates snapin. I think you can do this from either server.  Here's a basic article from TechNet with links for additional info:

Your help has saved me hundreds of hours of internet surfing.

Hi - I think the problem lies with the fact that the 2 certificates have expired and they weren't renewed in time.

The certificates reside on the Domain Controller & not the CA. If I try to renew it on the DC, I get;

  -  "The permissions on this certification authority do not allow the current user to enroll for certificates. A valid CA configured to issue certificates based on this template cannot be located or the CA does not support this operation, or the CA is not trusted"

If I try to request a new certificate (under Personal > Certificates) on the CA, I also get;

  -  "You cannot request a certificate at this time because no certificate types are available. If you need a certificate please contact your administrator."

I'm logged in as the Domain Admin in all cases. I gave Full Control for the Domain Admins on one of the Certificate Templates, but it's still not listed when I run this request.

I feel I need to find a comprehensive step by step document to start from the start.

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

These errors were resolved doing another task related to the Certification Authority (link supplied).