Skip to main content
Ryctas
Ryctas
New Member
March 16, 2025
Solved

Certificate Template on request

  • March 16, 2025
  • 2 replies
  • 3345 views

Hello :),

 

I've previously had an offline CA setup and used it to sign certificate request for Fortigate. It was an easy process overall. 

 

However, I now have an enterprise CA. A new folder under my CA was created as "Certificate Template". I understand it's utilization and whatnot, but my troubles come with accepting Fortigate CSRs.

 

I immediately get shot an error "Denied by Policy Module 0x80094801, the request does not contain a certificate template extension or the CertificateTemplate request attribute."

That's fine and dandy but I can't seem to be able to add that attribute anywhere before generating the CSR. I've looked online and I'm instructed with a CMD process that applies the Template to use, but I have the upcoming project of signing more than 80 of these certificates. 

 

I'd appreciate the guidance on making this as simple as it was with my offline root CA :)

Best answer by Ryctas

I made ChatGPT help me with a powershell script to approve them in a loop.

# Define variables $ConfigFile = "<configuration file>"  # Update with your configuration file path $CertificateTemplate = "<certificate>" # Update with your certificate template name $CSRFolder = "C:\Path\To\CSRs"        # Update with the folder containing the CSR files  # Get all CSR files in the folder $CSRFiles = Get-ChildItem -Path $CSRFolder -Filter "*.csr"  # Loop through each CSR and submit the request foreach ($CSR in $CSRFiles) {     $CSRPath = $CSR.FullName     Write-Host "Submitting request for $CSRPath..."          # Construct the certreq command     $Command = "certreq -submit `"$ConfigFile`" -attrib `"CertificateTemplate:$CertificateTemplate`" `"$CSRPath`""          # Execute the command     Invoke-Expression $Command          Write-Host "Request submitted for $CSRPath." }  Write-Host "All certificate requests have been submitted."

 

2 replies

Sheikh
Staff
Sheikh
Staff
March 16, 2025

Hello @Ryctas 

 

Could you check that the template type is "WebServer" on CA server?

 

regards,

 

Sheikh

If you have found a solution, please like and mark it as solved to make it easily accessible for everyone.
Ryctas
RyctasAuthor
New Member
March 17, 2025

Screenshot 2025-03-16 201905.png

 

Yes it does. 

Not visible in the picture, but I also added a copy of it that includes an extended validity period instead of the 2 year max one. unless there's a way to change the default one's attributes

Ryctas
RyctasAuthorAnswer
New Member
March 18, 2025

I made ChatGPT help me with a powershell script to approve them in a loop.

# Define variables $ConfigFile = "<configuration file>"  # Update with your configuration file path $CertificateTemplate = "<certificate>" # Update with your certificate template name $CSRFolder = "C:\Path\To\CSRs"        # Update with the folder containing the CSR files  # Get all CSR files in the folder $CSRFiles = Get-ChildItem -Path $CSRFolder -Filter "*.csr"  # Loop through each CSR and submit the request foreach ($CSR in $CSRFiles) {     $CSRPath = $CSR.FullName     Write-Host "Submitting request for $CSRPath..."          # Construct the certreq command     $Command = "certreq -submit `"$ConfigFile`" -attrib `"CertificateTemplate:$CertificateTemplate`" `"$CSRPath`""          # Execute the command     Invoke-Expression $Command          Write-Host "Request submitted for $CSRPath." }  Write-Host "All certificate requests have been submitted."

 

Terms & ConditionsAccessibility statement