Fix CERTSRV_E_ISSUANCE_POLICY_REQUIRED (0x8009480C)

You're trying to issue a certificate, and boom — CERTSRV_E_ISSUANCE_POLICY_REQUIRED (0x8009480C). I've seen this most often when someone uses a custom certificate template that requires specific issuance policies, but the request doesn't include them. Usually happens in a corporate environment with a Windows Server 2016 or 2019 Enterprise CA.

Had a client last month whose entire automated certificate enrollment broke overnight. Turned out a junior admin had modified the template's policy settings without realizing the clients still sent requests without those policies. Took me an hour to trace it back.

Root Cause

The CA is configured to require at least one issuance policy in every certificate request. The template you're using has the Issuance Policies tab set to require a specific policy (like a limited issuance policy). But the client machine — or the request itself — isn't including that policy. Could be because:

• The template's policy is misconfigured.
• The client's enrollment request doesn't match the required policy.
• You're using a legacy client that doesn't support policy mapping.
• Or someone manually added a policy OID that doesn't exist in the CA's policy list.

The Fix (Step by Step)

Step 1: Check the Template's Issuance Policy

Open the Certificate Templates console (certtmpl.msc). Find the template you're using, right-click, and go to Properties. Click the Issuance Policies tab. Look for any entries listed. If there's a policy listed, select it and click Remove — unless you absolutely need it for compliance. If you remove it, the CA won't require it, and the error goes away. But if you need it, continue to Step 2.

Step 2: Verify the Policy OID Exists on the CA

On the CA server, open the Certification Authority console. Right-click your CA name, choose Properties, then the Policy Module tab. Click Properties again. Check the Edit button — you'll see a list of issuance policies. If the OID from the template isn't listed here, add it by clicking Add, entering the same OID string (like 1.3.6.1.4.1.311.21.8.12345). This syncs what the CA expects with what the template demands.

Step 3: Update the Template on the CA

After adding the policy, go back to the Certificate Templates console. Right-click the template, choose Properties, Issuance Policies tab. Make sure the policy OID matches exactly. If you added it in Step 2, it should now be available in the dropdown. Select it, click Add. Then click OK. Wait — this doesn't apply immediately. You must re-issue the template. In the CA console, right-click Certificate Templates, choose New > Certificate Template to Issue, and select the updated template. Overwrite if prompted.

Step 4: Force the Client to Re-Enroll

On the client machine, run certlm.msc (Local Machine certificate store). Find the existing failed request under Failed Requests. Right-click and choose All Tasks > Resubmit. Or better — open an admin command prompt and run certreq -enroll -machine -policyserver [your CA server]. This forces a fresh request that should now include the required policy.

What to Check If It Still Fails

If you're still hitting the same error, check these two things:

• Event Viewer logs on the CA — look under Applications and Services Logs > Microsoft > Windows > CertificateServices > Operational. You'll see Error event ID 51 with more details. Sometimes it shows a specific OID mismatch.
• Is the client using a third-party tool? If you're submitting via a script or a custom tool, the request might not be including the policy at all. Use certreq -new with an INF file that explicitly includes policies = (1.3.6.1.4.1.311.21.8.12345).

One last thing — if you recently migrated the CA or restored a template from backup, the policy list can get out of sync. I've seen that trip up more than one admin. Check the CA's Issuance Policies tab in the properties every time you touch templates.