I was working on a clients Skype for Business migration from Lync 2013 deploying the new Office Online Server and needed to get a certificate. I went into IIS and requested a new certificate but no CA’s were listed for me to select. Next I just generated the CSR and tried using the Web Services https://servername/certsrv, this failed as it was not setup properly. Next I tried to RDP to the CA and use the Certificate Authority console from the MMC, this failed with an error Certificate not issued (Denied) Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute. As a last ditch effort without trying to fix the clients CA I went to command line. From the CA I used the following command “certreq –submit –attrib “CertficateTemplate:WebServer” C:\temp\certfile.req I was prompted to choose the CA and was able to save my certificate.
Hopefully this helps anyone else that is working with a broken CA.