Fix CERTSRV_E_KEY_ATTESTATION (0x8009481A) in Windows CA
Key attestation failed when enrolling for a certificate on Windows Server CA. Usually a TPM driver or policy mismatch. Here's the fix.
You'll see this error when...
You're enrolling for a certificate on a Windows Server CA (2019 or 2022) and you get a big red X with 0x8009481A - Key attestation did not succeed. It usually pops up when you're trying to request a certificate with TPM key attestation — like a machine certificate that binds the private key to a hardware TPM. Last month, had a client with a fleet of Dell PowerEdge servers that suddenly refused to enroll after a Windows patch Tuesday. No fun.
Why it happens
The CA is trying to verify that the private key was generated in a genuine TPM, but the attestation check fails. This can be because:
- TPM driver's old or buggy (seen this a lot on older firmware versions)
- The CA template requires attestation but the TPM doesn't support the requested algorithm (e.g., RSA 4K instead of RSA 2K)
- The TPM attestation identity key (AIK) isn't provisioned properly
- Certificate template has key attestation enforcement set to "required" instead of "optional"
Step-by-step fix (do these in order)
Step 1: Update TPM firmware and drivers
Don't skip this — it fixes 60% of cases. Check your TPM version with Get-Tpm in PowerShell (run as admin). If it says TPMReady: False, you've got a driver problem. Go to your manufacturer's support site (Dell, HP, Lenovo) and grab the latest TPM firmware update. Also update the TPM driver in Device Manager under "Security devices". Reboot after.
Step 2: Provision the TPM AIK
If that didn't work, the AIK might be missing. Run this PowerShell as admin:
Initialize-Tpm -AllowClear -AllowPhysicalPresenceIt'll prompt for a reboot. After reboot, verify with Get-Tpm | Select-Object TpmReady, IsActivated, IsEnabled. All should show True.
Step 3: Check the certificate template settings
Open the Certification Authority MMC, right-click the template you're using, go to Properties. On the Request Handling tab, find the "Key attestation" dropdown. If it's set to "Required (attestation only)", change it to "Optional (allow client to opt in)" or "Optional (allow client to choose)". Apply and restart the CA service: net stop certsvc && net start certsvc.
Step 4: Check the CA policy module
This is less common but happens. In the CA console, right-click the CA name, go to Properties, then Policy Module tab. Click "Properties" and verify that "Key attestation" is set to "Optional" or "Not configured". If it's set to "Required", change that.
Step 5: Request with a compatible key algorithm
Some TPM 2.0 modules don't handle RSA 4096-bit keys well for attestation. Try requesting with a template that uses RSA 2048. You can modify the template in the Certificate Templates snap-in — find your template, Properties, Cryptography tab. Set "Minimum key size" to 2048. Re-issue the certificate request.
If it still fails
Check the Event Viewer logs under Applications and Services Logs > Microsoft > Windows > CertificateServices > Lifecycle-System. Look for event ID 4886 or 4887 — those log the exact attestation failure reason. If you see "TPM attestation failing due to invalid AIK", you might need to clear and reprovision the TPM entirely (backup your keys first!). Also verify that the client machine can reach the CA — a firewall rule blocking port 443 can cause weird failures that look like attestation errors.
One last thing: if you're on Windows Server 2016 or older, TPM key attestation wasn't supported properly — upgrade to 2019 or 2022. Tried every trick with a Server 2016 CA once. Never again.
Was this solution helpful?