Follow

Error: Certificate fails to enroll with the error: Approval is required per the Issuance Requirements of the template.

Applies To:

Venafi Trust Protection Platform 14.2 and above

Symptom:

When enrolling against a Microsoft CA, the certificate fails at stage 500 with the error:

"Verify CA certificate manager approval is required per the Issuance Requirements of the template."

Screen_Shot_2015-02-06_at_14.22.57.png

In later releases, the message has changed slightly:

"Verify 'CA certificate manager' approval is required per the Issuance Requirements of the ADCS (MSCA) template."

Cause:

  1. This is caused by either Microsoft CA or Certificate template not being configured for manager approval - specifically with certificates containing one or more Subject Alternative Names (SAN).
  2. This can also happen when the certificate has a SAN on it and it should not. If you remove the SAN it in this case it should also resolve the error.
  3. A third scenario is if you've selected the option "Automatically include CN as DNS SAN" on the CA Template object. (See KB# 115002696411)

Resolution:

The steps that follow must be taken on the Certificate Authority Server, not the Venafi TPP server.  This change is made to the CA itself.

 

Option 1: Enable the CA certificate manager approval setting

  1. Launch the MMC and add the Certificate Authority Snap-in
    Add_Cert_Auth_Snapin.png
  2. right-click on the CA's name and select Properties.
  3. On the Policy Module tab, click Properties button.
  4. Select Set the certificate request status to pending....
    MSCA_PolicyModule.png

 

Option 2: Make the change to individual templates

  1. Launch the Certificates Manager MMC:
    MMC_Add_Cert_Templates.png
  2. Right-click on a template to be enrolled by Trust Protection Platform, and then click Properties.
  3. On the Issuance Requirements tab, select CA Certificate Manager Approval to be required for enrollment

    MSCA_Template_IssuanceRequirements__2_.png

 

Was this article helpful?
1 out of 2 found this helpful
Have more questions? Submit a request

Comments