How to Fix “Certificate Types Are Not Available” Error When Creating Computer Certificates for SQL Server SSL in Windows Server 2008


5 views

When attempting to create a computer certificate through MMC's Certificates snap-in on Windows Server 2008 SP1 for SQL Server SSL implementation, administrators often encounter the frustrating "Certificate types are not available" error. This occurs specifically when right-clicking the Certificates folder under Personal store and selecting "Request New Certificate."

The primary reasons for this error include:

1. Missing Certificate Templates in Active Directory
2. Improper Enterprise CA configuration
3. Insufficient permissions for the requesting account
4. Outdated Group Policy settings

Here's how to properly configure certificate enrollment:

1. Verify AD Certificate Templates

First, check if appropriate templates exist in Active Directory:

# PowerShell command to list available templates
Get-CATemplate | Format-Table -Property Name, SchemaVersion

If missing, create a Computer template:

1. Open Certification Authority console
2. Right-click Certificate Templates -> Manage
3. Duplicate the Computer template
4. Set appropriate permissions under Security tab

2. Configure Enterprise CA

For SQL Server SSL, we need specific settings:

certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEEND
net stop certsvc
net start certsvc

3. Certificate Request via Command Line

When GUI fails, try certreq:

; Example INF file for SQL Server certificate
[NewRequest]
Subject = "CN=SQLServer01.domain.com"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

Then execute:

certreq -new request.inf request.req
certreq -submit -attrib "CertificateTemplate:Computer" request.req cert.cer

For test environments, create a self-signed certificate:

$cert = New-SelfSignedCertificate -DnsName "sqlserver.domain.com" -CertStoreLocation "cert:\LocalMachine\My"
$cert | Export-PfxCertificate -FilePath "C:\temp\SQLCert.pfx" -Password (ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText)

After obtaining the certificate:

# SQL Server Configuration Manager
1. Navigate to SQL Server Network Configuration
2. Enable TCP/IP if disabled
3. In IP Addresses tab, set TCP Port to 1433 (or your custom port)
4. Under Certificate tab, select the installed certificate

Remember to restart SQL Server service after applying changes.

When working with Windows Server 2008 SP1 to configure SSL certificates for MSSQL server connections, many administrators encounter the frustrating "Certificate types are not available" error during certificate enrollment. This typically occurs when attempting to:


1. Open MMC → Add Certificates snap-in
2. Navigate to Certificates (Local Computer) → Personal
3. Right-click → All Tasks → Request New Certificate

In domain-joined environments with proper administrator privileges, this error usually stems from one of these technical issues:

  • Missing Certificate Templates in Active Directory
  • Insufficient permissions for the Certificate Authority
  • Incorrect Certificate Enrollment Policy configuration
  • Outdated Cryptographic Service Provider

Here's the complete technical solution I've verified in production environments:

1. Verify and Configure Certificate Templates

# PowerShell command to check available templates
Get-CertificateTemplate | Format-Table Name, SchemaVersion

If no templates appear, you'll need to configure them in Active Directory Certificate Services (AD CS). The Computer template is essential for SQL Server SSL certificates.

2. Configure Certificate Authority Permissions

certtmpl.msc  # Open Certificate Templates Console

Right-click the Computer template → Properties → Security → Add Domain Admins group with Enroll permissions.

3. Alternative Method: Manual Certificate Request

When templates aren't available, create a manual request:

# Generate CSR
certreq -new request.inf request.req

# Submit to CA
certreq -submit -config "CA-Server\CA-Name" request.req cert.cer

# Install certificate
certreq -accept cert.cer

After obtaining the certificate, configure SQL Server to use it:

-- T-SQL to configure certificate
USE [master]
GO
EXEC xp_instance_regwrite 
    N'HKEY_LOCAL_MACHINE', 
    N'Software\Microsoft\MSSQLServer\MSSQLServer\SuperSocketNetLib',
    N'Certificate', 
    N'REG_SZ', 
    N'THUMBPRINT_HERE'
GO
  • Always restart SQL Server service after certificate changes
  • Verify certificate chain validity with certmgr.msc
  • Check event logs for SCHANNEL errors if connections fail

For environments without AD CS, consider using OpenSSL to generate certificates:

openssl req -x509 -nodes -newkey rsa:2048 -keyout mssql.key -out mssql.pem -days 365