Adding template information to a non-Windows CSR

If you’ve ever tried to issue a certificate from a Windows CA using a CSR that was generated on a non-Windows system, you’ve probably come across the following error: –

The request contains no certificate template information.

0x80094801 (-2146875391)

Denied by Policy Module 0x80094801, The request does not contain a certificate template extension of the CertificateTemplate request attribute.

This is because the Windows CA is expecting some additional information (the CertificateTemplate attribute) in the CSR, which non-Windows systems do not include.

Fortunately, you can add this information to an existing CSR file using the certreq.exe tool, by running the following command on your CA: –

certreq -submit -attrib “CertificateTemplate:WebServer” “mycsr.txt” “mycert.txt”

The parameter substitutions in the above command should be obviously, but to clarify, the “CertificateTemplate” should specify an existing certificate template that your CA is aware of (in many cases, this would just be “WebServer”) and the mycsr.txt and mycert.txt are your input CSR file and output certificate file, respectively.

It’s also important to note that you need the appropriate permissions to issue certificates from your chosen certificate template. This includes running the command as an administrator if you have UAC enabled.

Leave a Reply

Your email address will not be published. Required fields are marked *