CA manager approval required for certificate re-enrollment

Hi there, this is Larry, Developer from US, and Fabian, PFE from Germany, writing about an uncommon scenario that might raise questions sometimes.

When enrolling certificates to clients or users, you might want to have control regarding the initial enrollment of the certificate in order to decide, if the specific device or user really should have a certificate based on a specific template. Therefore you want to implement the following procedure:

1. The initial enrollment (regardless if performed by manual respectively scripted enrollment or autoenrollment) should be issued only with CA certificate manager approval.
2. When this certificate reaches the end of validity period and if there is a valid certificate / private key combination, the certificate renewal should be performed automatically without CA certificate manager approval.

As you can see in the first line “Require the following for enrollment:”, the option “CA certificate manager approval” enables controlled issuance for certificates. The tick box “Require the following for reenrollment” with option “Valid existing certificate” allows reenrollment to occur without requiring CA manager approval.

Generally speaking this is possible, but there are caveats:

Online Templates

If using templates that are configured to obtain the subject information from the Active Directory account object, you may run into the problem that the reenrollment does not occur without manager approval. The renewal request may still be taken under submission and require you to issue them manually as a CA certificate manager:

This may occur if the SAN does not contain either a User principal name (UPN) or E-mail name:

When the CA is processing a renewal request, there is a name match performed against the subject information within the certificate. The naming information in the signing cert (the one being renewed) needs to match that being requested. In performing the name match, however, the CA is only looking for specific items. This name match requires that the original certificate conains either a UPN or E-mail name (or both) within the SAN extension, that matches that defined on the AD account object. In order for this name match to be successfulI, if this information is not present within the original certificate the renewal request goes pending:

The workaround for this is simple: Configure your V2 or V3 template to include the UPN or E-mail name within the SAN and renewals will succeed as expected:

In the event that the SAN information within the certificate being renewed, is different than that defined on the AD account object, such as in the case of an account re-name, the renewal request may also go pending. If the signing cert contains only the UPN or E-mail name, then that name must match what is defined on the AD account object. However, if both the UPN and E-mail name are present, only one need match in order for the renewal to be successful without requiring CA manager approval.

The described behavior holds true for both user and computer templates.

Offline Templates

The behavior for offline templates, where the subject information is provided within the certificate request, the behavior is different. When a renewal request for an offline template is evaluated, a similar naming match is performed, however, today only the Subject is evaluated and SAN information is ignored.

Cheers!