Certificate Template Issued from CA Server Not Showing on Client During Certificate Request

Question

Certificate Template Issued from CA Server Not Showing on Client During Certificate Request

Arya Abdul Azis 20

Hello, I am trying to set up ADFS from a client server that has joined the domain with an ADDS server. The ADDS server also has a CA installed. The problem is that I already created a certificate template, added "Domain Computers" in the Security tab, and issued the template. However, whenever I try to request a new certificate on the client server, the template does not appear. I have already searched on Google and followed some instructions (including a tutorial video), but it still doesn’t show up. Could you please help?

VPHAN 25,000 Reputation points Independent Advisor

2025-12-04T14:24:04.9966667+00:00

Hi, Have you tried my suggestions yet? Do you have any questions or need any further assistance? If the issue has been resolved, kindly “accept the answer”, as this will help others with the same problem find more useful information. Thank you!!

VP

Answer accepted by question author

2 additional answers

Your answer

VPHAN 25,000 Reputation points Independent Advisor

2025-12-04T14:24:04.9966667+00:00

Hi, Have you tried my suggestions yet? Do you have any questions or need any further assistance? If the issue has been resolved, kindly “accept the answer”, as this will help others with the same problem find more useful information. Thank you!!

VP

Answer 1

Hello Arya Abdul Azis,

The problem likely lies in one of three areas: the template was not added to the CA, the client lacks the exact permissions, or there is an Active Directory replication delay.

First, verify the template is truly published to the CA. On the CA server, open the Certification Authority console, expand your server, and right-click Certificate Templates. Select New > Certificate Template to Issue. Your template should appear in this list. If it's not there, you have only created the template object in Active Directory but have not authorized the CA to issue it. Add it now.

Next, examine the template's security with precision. Merely adding "Domain Computers" is insufficient if the template has specific requirements. Open Certificate Templates console (run certtmpl.msc), double-click your template, and go to the Security tab. Ensure the client computer's specific machine account (e.g., CLIENT-SERVER$) or a group containing it has both Read and Enroll permissions. Avoid using "Autoenroll" unless required. Also, check the Issuance Requirements tab; if CA certificate manager approval is checked, the request will pend and not issue immediately.

Then, confirm the template's compatibility. In the same properties window, go to the General tab. If the Template display name shows a version like "Windows Server 2016" or later, your client server's OS must meet that minimum. A template configured for a newer OS version will not appear on an older client. Additionally, for an ADFS service certificate, the template must be of type Computer (or custom) and should include the Subject Alternative Name extension, often critical for ADFS.

If the above checks pass, force Active Directory replication. The template information is stored in the Configuration partition and may not have replicated to the domain controller your client is using. On the CA server, open an administrative command prompt and run: repadmin /syncall /A /e

Wait a few minutes, then restart the Certificate Services service on the CA with net stop certsvc and net start certsvc.

On the client server, clear its certificate enrollment cache. Open an elevated command prompt and run: certutil -pulse

Then, attempt to request the certificate again using the Certificates MMC snap-in for the Computer account (not the user account). If the template still does not appear, query the CA directly from the client to list available templates: certutil -template -config "CA_SERVER_NAME\CA_NAME"

Replace with your CA's details. This command will show all templates the CA is authorized to issue to this client based on its permissions.

For ADFS, after obtaining the certificate, you must bind it to the ADFS service using the Set-AdfsSslCertificate PowerShell cmdlet. Ensure the certificate's subject or SAN matches the ADFS service name.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to ACCEPT ANSWER then. Should you have more questions, feel free to leave a message. Have a nice day!

VPHAN

Arya Abdul Azis 20 Reputation points

2025-12-05T09:45:08.1033333+00:00

Thank you for the answer, i tried step by step and it actually worked!
Jason Friesz 0 Reputation points

2026-01-19T15:33:12.74+00:00

I have a similar instance were the templates deployed to AD and we can see it and request it. The problem we are facing is when the template we have it require manager approval, then issue the cert from the CA, the client never sees the cert process complete and the cert sits in a folder in mmc certificates "Certificate Enrollment Requests" I confirmed the thumbprint is not the same as the issued cert in the CA.

We have ran certutil -pulse and right-click on the root of the tree (certificates - local computer), then go to All Tasks, then select "Automatically Enroll and Retrieve Certificates". - No change

To get the cert to deploy we have unchecked the box to require Manager approval on the template and the cert is issues and installed right away.

pkiview is healthy

Any help on this would be greatly appreciated.

Answer 2

VPHAN 25,000 Independent Advisor

Hi Arya Abdul Azis,

I'm glad that the answer worked!! But you forgot to accept my answer... It seemed you accept the AI's answer above. Would you mind accepting my answer again? Thank you so much!

Answer 3

It sounds like you are experiencing an issue where the certificate template you created is not visible to the client when attempting to request a certificate. Here are some steps you can take to troubleshoot this issue:

Check Permissions: Ensure that the client computer's account is included in the "Domain Computers" group and that it has the necessary permissions (Read and Enroll) on the certificate template. You can verify this in the Certificate Templates snap-in.
Verify Template Publication: Confirm that the certificate template has been published correctly on the Certification Authority (CA). You can do this by checking in the Certification Authority management console under the Certificate Templates section.
Active Directory Configuration: Make sure that the dNSHostName attribute on the pkiEnrollmentService object is correctly set. This can affect the visibility of the certificate templates. Use ADSIEdit.msc or LDP.exe to check this attribute.
Restart Services: Sometimes, restarting the Certificate Services on the CA can help refresh the available templates.
Client Configuration: Ensure that the client machine is correctly configured to communicate with the CA. This includes checking network connectivity and ensuring that the CA's root certificate is trusted by the client.

If these steps do not resolve the issue, you may need to review the CA logs for any errors that could provide more insight into why the template is not appearing.

References:

Share via

Certificate Template Issued from CA Server Not Showing on Client During Certificate Request

2 additional answers

Your answer