CERTSRV_E_NO_CERT_TYPE (0x80094801) Fix
This error means the certificate request is missing template info. Quick fix: set the template explicitly in the request or use the MMC snap-in instead.
You've hit 0x80094801 and you're not alone
This error is annoying because it looks cryptic, but the root cause is simple: your certificate request is being submitted without a template object identifier (OID). The CA doesn't know what kind of cert you want. Let's fix it.
The fix: specify the template
The culprit here is almost always the way the request is generated. If you're using certreq from the command line or a script that doesn't include the -attrib flag with the template name, you'll get this error. Here's the quickest fix:
Option 1: Use the MMC snap-in (easiest)
Open Certification Authority MMC, right-click Certificate Templates, select Manage. Find the template you need. Then, on the client machine, open certlm.msc (local machine) or certmgr.msc (current user). Right-click Personal > All Tasks > Request New Certificate. This forces the wizard to present available templates — you pick one, and the CA gets the OID. Done.
Option 2: Fix your certreq command
If you're stuck using CLI, the fix is to add the -attrib parameter. Your current command probably looks like this (which will fail):
certreq -submit -config "CA-SERVER\CA-NAME" request.reqChange it to this:
certreq -submit -config "CA-SERVER\CA-NAME" -attrib "CertificateTemplate:WebServer" request.reqReplace WebServer with the actual template name. You can find template names in the CA console under Certificate Templates — the Display Name column. Common ones: WebServer, Computer, User, DomainController.
Option 3: Edit the INF file
If you're generating requests from an INF file, you might have forgotten the [RequestAttributes] section. Add this:
[RequestAttributes]
CertificateTemplate = "WebServer"Yes, the quotation marks matter. Leave them out and the parser skips the value entirely.
Why this happens
The CA expects every incoming request to carry a template OID. When you submit via certreq without -attrib, the request file (.req) doesn't include that information. The CA checks the request — sees no template — and throws 0x80094801. It's not a permission issue, it's not a CA misconfiguration. It's a missing piece of metadata.
The MMC snap-in avoids this because the wizard asks you to pick a template before generating the request. That's why I recommend it for one-off requests.
Less common triggers
Sometimes this error comes from something subtler. Here are two edge cases I've seen:
- Web enrollment page misconfiguration: If you're using the CA's web enrollment (the
/certsrvpage), make sure you're selecting a template in the dropdown. If the page doesn't show any templates, check that the CA has at least one template enabled and that the requesting user has Enroll permissions. - PowerShell script without the correct switch: Using
Get-Certificatewithout the-Templateparameter will produce this error. Example that works:
Get-Certificate -Template WebServer -SubjectName "CN=myserver.domain.com" -CertStoreLocation Cert:\LocalMachine\MyAnother oddball: third-party tools that generate PKCS#10 requests sometimes strip the template OID. If you're using a device like a load balancer or firewall, check its documentation for how to include the OID. Some vendors expect you to hardcode it in the CSR generation.
Prevention
Stop guessing. Make these three things standard in your environment:
- Always include the template in any automated script. Whether it's a batch file, PowerShell script, or Ansible playbook — the template parameter is non-negotiable. Test with a dummy cert first.
- Enable auditing on the CA. Go to the CA properties, Auditing tab, check Certificate services. When this error pops in production, the security log will show you the exact requester and timestamp. Saves you digging through event IDs.
- Use the MMC snap-in for manual requests. It's not just easier — it prevents this error outright because the wizard enforces template selection. If you're training junior admins, show them the MMC path first. CLI can wait.
Pro tip: If you're deploying certificates at scale via Group Policy or Intune, test on a single machine first. The auto-enrollment policies can mask template issues because they enforce the OID on the client side. But if you see 0x80094801 after a fresh CA install, check that the template has been published and that the requesting computer has Read and Enroll permissions on the template ACL.
That's it. You're not dealing with a corrupt CA or a licensing problem — it's just a missing template. Slap it in the request and move on.
Was this solution helpful?