Share via

No certificates meet the application criteria

Bahram Maleki 66 Reputation points
2021-04-23T15:49:10.583+00:00

Hello,

I deployed Enrollment Agent to be able to request certificate on behalf another users. It was working before but now when I request on-behalf I get following error message:
No certificates meet the application criteria.

any thoughts?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,521 questions
0 comments
Accepted answer
  1. Daisy Zhou 27,516 Reputation points Microsoft Vendor
    2021-04-26T05:44:15.66+00:00

    Hello @Bahram Maleki ,

    Thank you for posting here.

    I have done a test in my lab.

    Configure "Enrollment Agent" certificate template.

    1.Duplicate an "Enrollment Agent" certificate template, and give "domain users" group "Read" and "Enroll" permissions.

    Certificate template display name is Enrollment Agent-1.
    91145-cer2.png

    2.Issue this certificate template.
    91146-cer3.png

    Daisy 11 requests certificate using certificate template named "Enrollment Agent-1".

    3.Logon one client using domain user named daisy11.

    4.Request certificate using certificate template named "Enrollment Agent-1" in user store.
    91147-cer4.png

    Daisy11 is able to request certificate on behalf another user.

    5.After that Daisy11 is able to request certificate on behalf another user (B\yu).
    91000-cer5.png

    91148-cer6.png

    Because daisy11 has two certificates issued by "Enrollment Agent" certificate template, so it will prompt me to select one.
    91135-cer7.png

    6.Select one certificate template for domain user (B\yu).
    91149-cer8.png

    7.Selcet the user name(B\yu).
    91136-cer9.png

    8.Daisy11 now request certificate for B\yu successfully.
    91150-cer10.png

    91171-cer22.png

    From the error message, it seems there is no corresponding Enrollment Agent certificate in this current logged on user Store.

    So please check:
    1.Check if this current logged on user Personal Store has installed Enrollment Agent certificate using Enrollment Agent certificate template? If so, ensure this cert is not expired.
    91105-cer11.png

    2.Check if this current logged on user Personal Store has installed Enrollment Agent certificate using Enrollment Agent certificate template? If there is no such certificate or such certificate has expired, this logged on user can request Enrollment Agent certificate using Enrollment Agent certificate template again, then request certs on behalf another users.

    3.Find which user has already requested Enrollment Agent certificate using Enrollment Agent certificate template now. You can use the user account with Enrollment Agent certificate in his/her Personal Store to request certs on behalf another users.

    Similar case.
    Certificate services - request client certificates on behalf of another user?
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ef1e7953-0e41-4465-becc-74305e18b32b/certificate-services-request-client-certificates-on-behalf-of-another-user?forum=winserversecurity

    Reference
    Enroll for Certificates on Behalf of Other Users
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770802(v=ws.11)?redirectedfrom=MSDN

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bahram Maleki 66 Reputation points
    2021-04-26T15:35:46.267+00:00

    Thank you so much Daisy, But Still no luck, I am still getting following error:
    "No certificates meet the application criteria"

    It was working before but for somehow stopped working.

    Thanks
    BM

    0 comments
  2. Daisy Zhou 27,516 Reputation points Microsoft Vendor
    2021-04-27T05:30:12.277+00:00

    Hello @Bahram Maleki ,

    Thank you for your update.

    I have check one domain user without certificate issued using Enrollment Agent certificate template in user store.
    The user is named B\yu.

    91613-ap2.png

    Then I request certificate with logged on user B\yu on behalf another user, I received the same error as you mentioned above.
    91478-ap1.png

    Would you please tell me whether you have troubleshooted as I mentioned above? If so, would you please tell me something above the result?

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  3. Bahram Maleki 66 Reputation points
    2021-04-27T14:04:56.557+00:00

    91794-cert1.jpg

    here is the issue, I have enrollment agent but getting the error,

    Thanks

    0 comments
  4. Daisy Zhou 27,516 Reputation points Microsoft Vendor
    2021-04-28T01:19:04.99+00:00

    Hello @Bahram Maleki ,

    Thank you so much for your update.

    1.Please check if the root certificate and certificate status is OK as below.
    91838-sta1.png

    2.Check if this certificate is revoked or not.

    Run command: certutil -urlfetch -verify <the full path of this cert>

    For example:
    certutil -urlfetch -verify C:\cer.cer

    Cert is revoked.

    91867-sta2.png

    Cert is not revoked.
    91883-sta3.png

    3.Check the remaining lifetime of the root CA cert.
    91790-sta4.png

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.