question

CharlieMelga-6484 avatar image
0 Votes"
CharlieMelga-6484 asked CharlieMelga-6484 commented

Key based Certificate renewal (without CA Certificate Manager Approval)

Can someone please help me with the following question

I have set my AD CS environment, any allowed clients to renew certificates based on an existing certificate (this was of CES/CEP certificate based renewal for non-domain joined computers, but we do not need to worry about that I mention it only for background). This works OK

The issue is when the certificate is renewed it is in the ‘pending requests’ folder on the CA, which is expected as the certificate template (I am using a duplicate of the computer template) has the options

Under ‘Issuance Requirements’ there is a section near the bottom called ‘Require the following for reenrollment’

In this section there is a radial button named ‘Valid Existing Certificate’ with an associated check box entitled ‘Allow key based renewal’

I need to have ‘Allow key based renewal’ check in order that I can get CES/CEP certificate enrolment based on existing certificate working OK (which it does).

However the fields mentioned above (Valid Existing Certificate, and Allow key based renewal) are only available when you first select ‘CA Certificate Manager Approval’ at the top of the template, which means the request ends u in the ‘Pending requests’ folder on the CA awaiting manual intervention to approve the request.

I want to allow the client computer to ‘automatically’ renew (recall they are not domain joined which is why I am using CES/CEP) their certificate based on previously issued certificate which out intervention, e.g. straight to issued then the client pulling the certificate down and installing.

Any ideas please on how to overcome this?

I have placed a graphic of the certificate template at the following location.

https://1drv.ms/u/s!AqL5zUwOWToZgeg27wd1inRX21iKKw?e=oGS3KA

Thanks very much in advance

CXMelga

windows-active-directorywindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered CharlieMelga-6484 commented

Hello CharlieMelga-6484,

Thank you for your question.

When enrolling certificates for clients or users, you may want to have control over initial certificate enrollment to decide whether the specific device or user really should have a certificate based on a specific template.

See the article below for more information:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ca-manager-approval-required-for-certificate-re-enrollment/ba-p/1128648



If the answer is helpful, please vote positively and accept as an answer.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello LimitlessTechnology-2700 thanks for taking the time to reply to my query,

However I know which devices need to enrol for certificates etc.

The question is specially around 'Allow based renewal' (see template at the link I posted above), in other words using an existing certificate to authenticate with to request a renewal.

So to recap, it works (although I have to test some other bits too), the problem is as follows

The reason the new certificate goes into the Pending Requests folder on the CA is because of the settings in the Template (again see the graphic at the link I posted above). You have to check the box 'CA Certificate Manager Approval' otherwise the check box 'Allow Key Based Renewal' is 'not' available and therefore you cannot renew a certificate using a previous certificate as the authentication method (remember the CA and the client on in separate untrusted forests).

So I am looking for a way around this, so the corticate is renewed (using Key Based Renewal) but does not require CA Administrator Approval.

Thanks
Charlie

0 Votes 0 ·