CERTSRV_E_UNSUPPORTED_CERT_TYPE (0X80094800) Fix

If you're staring at error CERTSRV_E_UNSUPPORTED_CERT_TYPE (0x80094800), I feel your pain. This one pops up when the CA decides it can't use the certificate template you're asking for. I've seen it drive admins crazy, especially on newer Windows Server versions. But don't worry — it's almost always one of three things, and I'll show you how to nail each one.

This error usually hits when you try to enroll a certificate through certreq or the MMC snap-in, and the CA spits back: "The requested certificate template is not supported by this CA." Let's fix that.

Cause 1: Template Version Mismatch (Schema Version Too New)

This is the most common reason. If your CA runs Windows Server 2008 R2 or earlier, it can't handle templates with schema version 2 or higher. Version 2 templates have features like application policies, and the old CA just chokes.

Here's how to check. On your CA server, open PowerShell or cmd and run:

certutil -catemplates

Look at the template you're trying to use. If it says Schema version: 2 (or 3) and your CA is on Server 2008 R2, that's your problem.

The fix: You've got two options. The cleanest one is to upgrade the CA to Windows Server 2012 or later. But if you're stuck on old hardware, use a template that's version 1. Windows comes with a few built-in: User, Computer, and Web Server are all version 1.

To make a new version 1 template, duplicate the built-in ones and don't change the compatibility settings. That's usually enough. Then assign that template to your CA and try again.

If you're using certreq with an INF file, make sure the [NewRequest] section doesn't reference a template that the CA can't use. Example INF snippet:

[NewRequest]
Subject = "CN=myserver.contoso.com"
MachineTemplateName = WebServer

Replace WebServer with a version 1 template name.

Cause 2: Template Not Issued to the CA

This one's embarrassing when it happens, but we've all been there. A template can exist in Active Directory and look fine, but the CA itself hasn't been told it can issue that template. The CA only serves templates you explicitly add to its issuance list.

To check, open the CA MMC (certsrv.msc). Right-click Certificate Templates under your CA and choose Manage. That shows all templates available in the forest. Then go back to the CA, right-click Certificate Templates again, and pick New → Certificate Template to Issue. If your template isn't in that list, the CA can't issue it.

If it's not listed, first make sure the template is published to AD. You can do this from the Certificate Templates console — right-click and choose Replicate if needed. Wait a few minutes, then refresh the CA's list.

Once the template shows up in the "New" dialog, select it and click OK. Now the CA can issue it. Try your enrollment again — I'd bet it works.

Cause 3: Template Permissions Blocking Enrollment

This one's sneaky because you won't get a permission error — you'll get that 0x80094800 code instead. The CA checks if the requesting user or computer has the Enroll permission on the template. Even administrators can get tripped up if permissions are set too tight.

Open the Certificate Templates console (certsrv.msc → right-click Certificate Templates → Manage). Find your template, right-click, and choose Properties. Go to the Security tab.

You need to see who's trying to enroll. If it's a computer, the Domain Computers group needs Read and Enroll permissions (at minimum). For users, add Domain Users or Authenticated Users with the same rights.

Don't give Full Control to everyone — that's a security risk. Just Read and Enroll. Apply, wait a few minutes for AD replication, then retry.

I've seen this bug bite people when they use the Workstation Authentication template and forget to add the computer's own account. That's a classic.

Quick-Reference Summary

The fix for 0x80094800 is rarely complicated — it's just about checking these three boxes in order. Start with the version, then the issuance, then permissions. I've never seen it be anything else. Good hunting!