Windows PKI blog

News and information for public key infrastructure (PKI) and Active Directory Certificate Services (AD CS) professionals

Populate Subject Name for Offline Templates on Renew

Populate Subject Name for Offline Templates on Renew

  • Comments 2
  • Likes

Offline templates are certificate templates that require the subject name to be part of the certificate request. The certificate authority will use the subject name supplied in the request as the subject name of the certificate to issue. This is different from online templates where the Microsoft Certificate Authority (CA) looks in Active Directory (AD) to determine the subject name for the certificate to issue.

You can configure this on the certificate template snap-in. See screen shot below [Figure 1]. The checkbox that says: “Use subject information from existing certificates for autoenrollment renewal requests” is available only in Windows Server 2008 R2.

image Figure 1: Subject Name tab of certificate template snap-in. “Supply in the request” means it is an offline template.

Pre-Windows 7, the auto-enrollment client would not auto-renew machine certificates whose certificate template was an offline template [Table 1: row 1, column 4]. Also, Pre-Windows 7, user certificates whose certificate template was an offline template would require user interaction during renew so that the user could type in the subject name to be included as part of the certificate request [Table 1: see row 3, column 4].

On Windows 7, the auto-enrollment client will auto-renew machine certificates whose certificate template is an offline template only if the “Use subject information from existing certificates for autoenrollment renewal requests” checkbox is turned on [Table 1: row 2, column 4]. This option is only available in Windows Server 2008 R2 for version 2 or version 3 machine templates. The behavior for user certificates in Windows 7 is unchanged.

Table 1
Client Operating System Machine Or User Auto-Enroll Auto-Renew
Pre-Windows 7 Machine No No
Windows 7 Machine No Yes – With “Use subject from existing certificates” option from server
Pre-Windows 7 User Yes – With UI Pop-up Yes – With UI Pop-up
Windows 7 User Yes – With UI Pop-up Yes – With UI Pop-up
Comments
  • I tried to "Use subject information from existing certificates for autoenrollment renewal requests" for my SAN(SSL)-certificates.

    My PKI 2008 R2 works fine and I created a template for my Webserver. The SAN-certificate was requested through the IIS (https://localhost/certsrv). Of course, I had to drag and drop the registered certificate from the user store to the local computer store, so the IIS could find it.

    I would like to Auto-Renew my SAN-certificate with GPOs or manually, but if I do so in the certmgr.msc, I get an Errormessage: "Wrong Parameter".

  • Did you solve this, Jan S?

    I would try manually exporting and importing the certificate from the user store to computer store. I've had issues when using drag and drop.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment