Avatar of Mike Broderick
Mike BroderickFlag for United States of America

asked on 

Problem renewing a certificate

I need to renew my exchange server's iis certificate. I generate the request on the exchange server. I bring up the web page xxx.xxx.xxx.xxx/CertSrv and click Request a Certificate.  I get the message:

No certificate templates could be found. You do not have permission to request a certificate from this CA, or an error occurred while accessing the Active Directory.

Per internet searches, I found the following suggestion:

You will need to view the Active Directory dNSHostName attribute on the following object: pkiEnrollmentService. To find this object, check the following locations:
CN=CertificateServer,CN=Enrollment Services,CN=Public Key
To be able to see the dNSHostName attribute, you will have to use ADSIEdit.msc or LDP.exe.

When I try ADSI or LPD, I do not see any of the above. My ASDI shows:

Name      Class      Distinguished Name
CN=Builtin      builtinDomain      CN=Builtin,DC=MyDomain,DC=local
CN=Computers      container      CN=Computers,DC=MyDomain,DC=local
OU=Domain Controllers      organizationalUnit      OU=Domain Controllers,DC=MyDomain,DC=local
CN=ForeignSecurityPrincipals      container      CN=ForeignSecurityPrincipals,DC=MyDomain,DC=local
CN=LostAndFound      lostAndFound      CN=LostAndFound,DC=MyDomain,DC=local
CN=Managed Service Accounts      container      CN=Managed Service Accounts,DC=MyDomain,DC=local
OU=Microsoft Exchange Security Groups      organizationalUnit      OU=Microsoft Exchange Security Groups,DC=MyDomain,DC=local
CN=Microsoft Exchange System Objects      msExchSystemObjectsContainer      CN=Microsoft Exchange System Objects,DC=MyDomain,DC=local
OU=MyBusiness      organizationalUnit      OU=MyBusiness,DC=MyDomain,DC=local
CN=NTDS Quotas      msDS-QuotaContainer      CN=NTDS Quotas,DC=MyDomain,DC=local
CN=Program Data      container      CN=Program Data,DC=MyDomain,DC=local
CN=System      container      CN=System,DC=MyDomain,DC=local
CN=TPM Devices      msTPM-InformationObjectsContainer      CN=TPM Devices,DC=MyDomain,DC=local
CN=Users      container      CN=Users,DC=MyDomain,DC=local
CN=Infrastructure      infrastructureUpdate      CN=Infrastructure,DC=MyDomain,DC=local

Am I missing something?
Exchange* certificate services* active directory certificate serviceActive DirectorySecurity

Avatar of undefined
Last Comment
Mike Broderick
Avatar of Ian Pattison
Ian Pattison
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Mike Broderick


Interesting, when I enter the command:
  certreq -submit \\svrxx\svrxxd\td\exchiis.req exchiis.cer
I get a panel asking me which CA to use, MyDomain-SVRXX-CA or MyDomain-SVRXX-CA-1, both on computer SVRXX.MyDomain.local. I dont know why it thinks I have 3 CA's. Is there a way I can clean up, delete one of them? I choose the newer one, -CA-1. I then get the error:

Certificate not issued (Denied) Denied by Policy Module  0x80094801, The request does not contain a certificate template
 extension or the CertificateTemplate request attribute.
 The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE)
Certificate Request Processor: The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV
Denied by Policy Module  0x80094801, The request does not contain a certificate template extension or the CertificateTem
plate request attribute.

Is the request command correct? I simply asked for a renewal when I made the request file. Is there something else I need to to?

Avatar of Mike Broderick


I added -attrib "CertificateTemplate:WebServer" and it worked. I then retrieved the cert, pointed IIS to it, then after it worked delete the old one.

Thank you for your help. I am going to open a new question regarding the 2 CA instances. If you are able, look for it.

Thanks again.

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo