CA manager approval required for certificate re-enrollment

Hi there, this is Larry, Developer from US, and Fabian, PFE from Germany, writing about an uncommon scenario that might raise questions sometimes.

When enrolling certificates to clients or users, you might want to have control regarding the initial enrollment of the certificate in order to decide, if the specific device or user really should have a certificate based on a specific template. Therefore you want to implement the following procedure:

1. The initial enrollment (regardless if performed by manual respectively scripted enrollment or autoenrollment) should be issued only with CA certificate manager approval.
2. When this certificate reaches the end of validity period and if there is a valid certificate / private key combination, the certificate renewal should be performed automatically without CA certificate manager approval.

As you can see in the first line “Require the following for enrollment:”, the option “CA certificate manager approval” enables controlled issuance for certificates. The tick box “Require the following for reenrollment” with option “Valid existing certificate” allows reenrollment to occur without requiring CA manager approval.

Generally speaking this is possible, but there are caveats:

Online Templates

If using templates that are configured to obtain the subject information from the Active Directory account object, you may run into the problem that the reenrollment does not occur without manager approval. The renewal request may still be taken under submission and require you to issue them manually as a CA certificate manager:

This may occur if the SAN does not contain either a User principal name (UPN) or E-mail name:

When the CA is processing a renewal request, there is a name match performed against the subject information within the certificate. The naming information in the signing cert (the one being renewed) needs to match that being requested. In performing the name match, however, the CA is only looking for specific items. This name match requires that the original certificate conains either a UPN or E-mail name (or both) within the SAN extension, that matches that defined on the AD account object. In order for this name match to be successfulI, if this information is not present within the original certificate the renewal request goes pending:

The workaround for this is simple: Configure your V2 or V3 template to include the UPN or E-mail name within the SAN and renewals will succeed as expected:

In the event that the SAN information within the certificate being renewed, is different than that defined on the AD account object, such as in the case of an account re-name, the renewal request may also go pending. If the signing cert contains only the UPN or E-mail name, then that name must match what is defined on the AD account object. However, if both the UPN and E-mail name are present, only one need match in order for the renewal to be successful without requiring CA manager approval.

The described behavior holds true for both user and computer templates.

Offline Templates

The behavior for offline templates, where the subject information is provided within the certificate request, the behavior is different. When a renewal request for an offline template is evaluated, a similar naming match is performed, however, today only the Subject is evaluated and SAN information is ignored.

Cheers!

Comments

• Anonymous
  January 01, 2003
  Hi there, please consider the following scenario: on my W2K8 R2 server named "server.contoso.com" I have a SSL cert with custom subject "mywebsite.contoso.com". After the initial manual request it will be automatically renewed before expiration. This scenario works fine with proper configuration on Win7/2k8R2. Now I'd add CA manager approval but ONLY for the initial manual request. I still want fully automatic renewal. Did anyone find a solution for this scenario ? I tried several combinations of settings in this post (in conjunction with the setting "Use subject information from existing certificates for autoenrollment renewal requests" on template) but CA manager is always required to approve the renewal request. Thank you Riccardo

• Anonymous
  January 01, 2003
  Hi Christian, Larry provided the following answers: :-) (#1) The topic we documented holds true for renewals, regardless of whether they are auto enroll initiated or manually initiated. (#2) You are correct that you cannot have a UPN within the subject, only within the SAN.   The difference in behavior between offline and online templates is that for offline, the SAN is not evaluated, only the subject.  In this case, regardless of whether it is a user or machine cert, the subject information must match.  This means that the previously mentioned requirement that SAN contain either a UPN or email address does not apply. Of course, with Windows 7 the new client code provides the ability to auto-renew offline templates, so this makes this scenario a lot easier than it has been in the past.  The client automatically populates the renewal cert request with the subject info from the cert that is being renewed. HTH Fabian

• Anonymous
  February 23, 2012
  Question #1 For the online template it works if you do manuell reenroll in the GUI "Renew Certificate with new key". If you instead use Autoenrollment, the reenrolled certificate request will be pending in the CA. Any idea? Is this supposed to work? Question #2 You write about that name matching in offline templates only evaluate the subject name. You say that namematching only use email or upn. What about computer objects? What I now you can not have a UPN in the subject name, only in the SAN. Regards Christian

• Anonymous
  January 27, 2014
  I belive it maybe a miss guided app link instead of cert that ended up as link on computer owners home made id card

• Anonymous
  April 28, 2014
  Hello All, This is Wes Hammond with Premier Field Engineering back with follow up to a previous blog