Unexpected behavior of certificate enrollment
Certificate enrollment may not behave as expected when the Windows certificate template includes unsupported settings.
Issue resolution: Verify that the certificate template matches the configuration described in Creating and configuring certificate templates. Specifically, the configuration must not include any of the following unsupported settings.
| Tab | Unsupported setting |
|---|---|
| Extensions | Any key usage combination containing the following key usages: CRL Sign, Decipher Only, Encipher Only, Key Agreement, Key Cert Sign |
| General | Publish certificate in Active Directory |
| Issuance requirements | CA certificate manager approval |
| Key Attestation | Required |
| Request Handling | Archive subject’s encryption private key |
| Server | Do not include revocation information in issued certificates |
| Do not store certificates and requests in the CA Database |