Certificate Template on request

Ryctas · ‎03-15-2025

Hello :),

I've previously had an offline CA setup and used it to sign certificate request for Fortigate. It was an easy process overall.

However, I now have an enterprise CA. A new folder under my CA was created as "Certificate Template". I understand it's utilization and whatnot, but my troubles come with accepting Fortigate CSRs.

I immediately get shot an error "Denied by Policy Module 0x80094801, the request does not contain a certificate template extension or the CertificateTemplate request attribute."

That's fine and dandy but I can't seem to be able to add that attribute anywhere before generating the CSR. I've looked online and I'm instructed with a CMD process that applies the Template to use, but I have the upcoming project of signing more than 80 of these certificates.

I'd appreciate the guidance on making this as simple as it was with my offline root CA :)

Ryctas · ‎03-18-2025

I made ChatGPT help me with a powershell script to approve them in a loop.

# Define variables
$ConfigFile = "<configuration file>"  # Update with your configuration file path
$CertificateTemplate = "<certificate>" # Update with your certificate template name
$CSRFolder = "C:\Path\To\CSRs"        # Update with the folder containing the CSR files

# Get all CSR files in the folder
$CSRFiles = Get-ChildItem -Path $CSRFolder -Filter "*.csr"

# Loop through each CSR and submit the request
foreach ($CSR in $CSRFiles) {
    $CSRPath = $CSR.FullName
    Write-Host "Submitting request for $CSRPath..."
    
    # Construct the certreq command
    $Command = "certreq -submit `"$ConfigFile`" -attrib `"CertificateTemplate:$CertificateTemplate`" `"$CSRPath`""
    
    # Execute the command
    Invoke-Expression $Command
    
    Write-Host "Request submitted for $CSRPath."
}

Write-Host "All certificate requests have been submitted."

View solution in original post

Sheikh · ‎03-16-2025

Hello @Ryctas

Could you check that the template type is "WebServer" on CA server?

regards,

Sheikh

**If you come across a resolution, kindly show your appreciation by liking and accepting it, ensuring its accessibility for others**

Ryctas · ‎03-16-2025

Screenshot 2025-03-16 201905.png

Yes it does.

Not visible in the picture, but I also added a copy of it that includes an extended validity period instead of the 2 year max one. unless there's a way to change the default one's attributes

Ryctas · ‎03-18-2025

I made ChatGPT help me with a powershell script to approve them in a loop.

# Define variables
$ConfigFile = "<configuration file>"  # Update with your configuration file path
$CertificateTemplate = "<certificate>" # Update with your certificate template name
$CSRFolder = "C:\Path\To\CSRs"        # Update with the folder containing the CSR files

# Get all CSR files in the folder
$CSRFiles = Get-ChildItem -Path $CSRFolder -Filter "*.csr"

# Loop through each CSR and submit the request
foreach ($CSR in $CSRFiles) {
    $CSRPath = $CSR.FullName
    Write-Host "Submitting request for $CSRPath..."
    
    # Construct the certreq command
    $Command = "certreq -submit `"$ConfigFile`" -attrib `"CertificateTemplate:$CertificateTemplate`" `"$CSRPath`""
    
    # Execute the command
    Invoke-Expression $Command
    
    Write-Host "Request submitted for $CSRPath."
}

Write-Host "All certificate requests have been submitted."

Certificate Template on request

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website