re: CA manager approval required for certificate re-enrollment

Fabian Müller [MSFT] — Sat, 25 Feb 2012 08:34:50 GMT

Hi Christian,

Larry provided the following answers: :-)

(#1) The topic we documented holds true for renewals, regardless of whether they are auto enroll initiated or manually initiated.

(#2) You are correct that you cannot have a UPN within the subject, only within the SAN.

The difference in behavior between offline and online templates is that for offline, the SAN is not evaluated, only the subject. In this case, regardless of whether it is a user or machine cert, the subject information must match. This means that the previously mentioned requirement that SAN contain either a UPN or email address does not apply. Of course, with Windows 7 the new client code provides the ability to auto-renew offline templates, so this makes this scenario a lot easier than it has been in the past. The client automatically populates the renewal cert request with the subject info from the cert that is being renewed.

HTH

Fabian

re: CA manager approval required for certificate re-enrollment

Christian Skoglund — Thu, 23 Feb 2012 16:49:33 GMT

Question #1

For the online template it works if you do manuell reenroll in the GUI "Renew Certificate with new key".

If you instead use Autoenrollment, the reenrolled certificate request will be pending in the CA.

Any idea? Is this supposed to work?

Question #2

You write about that name matching in offline templates only evaluate the subject name. You say that namematching only use email or upn. What about computer objects? What I now you can not have a UPN in the subject name, only in the SAN.

Regards

Christian