Error: Certificate fails to enroll with the error: Approval is required per the Issuance Requirements of the template.

Applies To:

Venafi Trust Protection Platform 14.2 and above


When enrolling against a Microsoft CA, the certificate fails at stage 500 with the error:

"Verify CA certificate manager approval is required per the Issuance Requirements of the template."


In later releases, the message has changed slightly:

"Verify 'CA certificate manager' approval is required per the Issuance Requirements of the ADCS (MSCA) template."


  1. This is caused by either Microsoft CA or Certificate template not being configured for manager approval - specifically with certificates containing one or more Subject Alternative Names (SAN).
  2. This can also happen when the certificate has a SAN on it and it should not. If you remove the SAN it in this case it should also resolve the error.
  3. A third scenario is if you've selected the option "Automatically include CN as DNS SAN" on the CA Template object. (See KB# 115002696411)


The steps that follow must be taken on the Certificate Authority Server, not the Venafi TPP server.  This change is made to the CA itself.


Option 1: Enable the CA certificate manager approval setting

  1. Launch the MMC and add the Certificate Authority Snap-in
  2. right-click on the CA's name and select Properties.
  3. On the Policy Module tab, click Properties button.
  4. Select Set the certificate request status to pending....


Option 2: Make the change to individual templates

  1. Launch the Certificates Manager MMC:
  2. Right-click on a template to be enrolled by Trust Protection Platform, and then click Properties.
  3. On the Issuance Requirements tab, select CA Certificate Manager Approval to be required for enrollment



Was this article helpful?
1 out of 2 found this helpful