If you want to use the certificates console's Advanced Operations - Enroll on behalf of wizard with an Enrollment Agent certificate (RA - registration authority), you may receive the error message No certificate available - no certificates meet the application criteria or The template is missing required policy signature attribute. Some of the more advanced reasons might be:
- on Windows 7, Windows Vista, Windows 2008 and Windows 2008 R2 the enrollment agent signing certificate's private key must be stored by a legacy CSP (cryptographic service provider) instead of the newer KSP/CNG (key storage provider). KSP is not supported by the wizard. You can verify the provider according to one of my previous articles.
- although the KSP is now supported since Windows 8 and Windows 2012, the enrollment agent certificate must contain the Certficate Request Agent enhanced key usage (EKU, application policy) with OID 184.108.40.206.4.1.3220.127.116.11. Although it might seem limiting, like you would not be able to use your own different appliation policies for different RA signing certificates, it is not in fact. Certificate can have more application policies. If you want to have more enrollment agent (RA) signing certificate templates with different EKU OIDs, you can always add both your custom application policy OID and the Certificate Request Agent OID. You would then specify the custom OID on Issuance Requirements tab instead of the Certificate Request Agent OID which would be present in all enrollment agent certificates. In a similar manner, you can also use an Issuance policy OID for the same purpose. You add some custom issuance policy into enrollment agent certificates and configure the Issuance Requirements tab to require Both application and issuance policy.