Skip Ribbon Commands
Skip to main content

Ondrej Sevecek's English Pages


Engineering and troubleshooting by Directory Master!
MCM: Directory

Quick Launch

Ondrej Sevecek's English Pages > Posts > Error message when you try to obtain certificate using the Enroll on behalf of wizard
February 10
Error message when you try to obtain certificate using the Enroll on behalf of wizard

If you want to use the certificates console's Advanced Operations - Enroll on behalf of wizard with an Enrollment Agent certificate (RA - registration authority), you may receive the error message No certificate available - no certificates meet the application criteria or The template is missing required policy signature attribute. Some of the more advanced reasons might be:

  • on Windows 7, Windows Vista, Windows 2008 and Windows 2008 R2 the enrollment agent signing certificate's private key must be stored by a legacy CSP (cryptographic service provider) instead of the newer KSP/CNG (key storage provider). KSP is not supported by the wizard. You can verify the provider according to one of my previous articles.
  • although the KSP is now supported since Windows 8 and Windows 2012, the enrollment agent certificate must contain the Certficate Request Agent enhanced key usage (EKU, application policy) with OID Although it might seem limiting, like you would not be able to use your own different appliation policies for different RA signing certificates, it is not in fact. Certificate can have more application policies. If you want to have more enrollment agent (RA) signing certificate templates with different EKU OIDs, you can always add both your custom application policy OID and the Certificate Request Agent OID. You would then specify the custom OID on Issuance Requirements tab instead of the Certificate Request Agent OID which would be present in all enrollment agent certificates. In a similar manner, you can also use an Issuance policy OID for the same purpose. You add some custom issuance policy into enrollment agent certificates and configure the Issuance Requirements tab to require Both application and issuance policy.


There are no comments for this post.

Add Comment

Sorry comments are disable due to the constant load of spam *

This simple antispam field seems to work well. Just put here the number.


You do not need to provide any value this column. It will automatically fill with the name of the article itself.

Author *

Body *