0

I have a certificate template (auto-enrolled) that must require manager approval.

To achieve this, I checked the CA certificate manager approval checkbox in the Issuance Requirements tab.

enter image description here enter image description here

The computer does auto-enroll and the certificate is placed on the Pending queue on the CA.

My wish is that once the pending certificate was manually approved, certificates should be renewed, or updated if the template major version increments, without manager approval. But I can't get this to work.

When I increment the major version of the certificate, the request is never automatically issued, but again put into the Pending queue for manual issuance.

I tried changing the Same criteria as for enrollment to Valid existing certificate but this didn't change anything.

To speed up my troubleshooting, I used certutil -pulse to start the auto-enrollment process on the requesting computer.

Edit:

The auto-enrollment policy on the affected server:

enter image description here

Daniel
  • 6,940
  • 6
  • 33
  • 64
  • What's on the __Subject__ tab? – garethTheRed Jan 12 '22 at 13:49
  • @garethTheRed I added the subject tab. – Daniel Jan 12 '22 at 14:30
  • And the PKI group policy? – garethTheRed Jan 12 '22 at 17:24
  • Sounds like a bug in ADCS, or incorrect MSFT documentation. At this point, you cannot accomplish what you are trying to do. I'm reaching Microsoft on this regard to get explanations. – Crypt32 Jan 12 '22 at 18:44
  • @garethTheRed I added the auto-enrollment policy. I assume that is what you meant by PKI group policy? – Daniel Jan 13 '22 at 10:26
  • To be honest, they look identical to the setting I've used in the past. However, I've not tried to increment the major version of the template and tested. Going by what you've seen and what @Crypt32 said, it's unlikely I'd succeed! – garethTheRed Jan 13 '22 at 13:40
  • One thought - you've not set the validity period to anything ridiculously short for the purpose of expediting testing have you? Auto (re)enrollment fails when you issue certs for less than 8 hours or so - I usually set it to 24h even for testing. – garethTheRed Jan 13 '22 at 13:42
  • I set it to one hour. I will set it to 24h and wait a day. – Daniel Jan 13 '22 at 16:28
  • Today I check the CA and the certificate renewals are still set to pending state. – Daniel Jan 17 '22 at 07:35
  • 1
    @Daniel as I said, either it is a doc bug, or ADCS CA bug. It is not your fault (not misconfiguration). Docs say that `existing valid certificate` overrides the CA manager approval checkbox. I was able to repro and the behavior contradicts with docs and I've opened a support case with MSFT. – Crypt32 Jan 20 '22 at 22:01
  • Just updating the post. Appreciate your effort. Please let me know of the outcome. Thanks! – Daniel Jan 21 '22 at 11:47

2 Answers2

5

I've opened a support case with Microsoft on behalf of OP (TrackingID#2201120040008993) about the issue. As I pointed in comments, the OP's setup is correct and I was able to repro in my environment. The support ticket is opened against [MS-WCCE] protocol, §3.2.1.4.2.1.4.2.2 specification.

Microsoft Support was able to confirm the issue. Further investigation discovered that Microsoft CA implements [MS-WCCE] §3.2.2.6.2.1.4.5.7 requirement to ignore CT_FLAG_PEND_ALL_REQUESTS flag when CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT properly. However, further investigation found that Microsoft CA in one of internal request processing routines fails with Bad Renewal Name which attempts to bind requester UPN name to the one stored in Active Directory. However since it is computer template, the UPN is not available (hence the error) and renewal procedures are aborted and initial request procedures executed: request placed in pending requests. And this UPN binding condition is not documented anywhere.

I've set up same scenario for user template (which writes down the UPN in certificate) and it worked well: initial request was placed in pending requests, renewal automatically renewed and issued the certificate.

In current state, "valid existing certificate" option works for user templates only and doesn't work for computer templates. There is no available workaround.

I'm continuing conversations with Microsoft Support and will update this response when new information is available.

HTH

Update 19.10.2022

Microsoft published updated documentation which includes conditions the request must meet in order to enable "Valid existing certificate" enforcement: [MS-WCCE] §3.2.2.6.2.1.4.8 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT Enforcement Conditions

Crypt32
  • 6,639
  • 1
  • 15
  • 33
  • I Just want to state that if the subject name is supplied in the request - Valid existing certificate works for computer templates. – CryptoDan Oct 20 '22 at 05:42
0

@crypt32, based on the MS-WCCE documentation you provided it seems like reenrollment without requiring approval will only work for user-based certificates, not computer . Is this a correct interpretation of what you shared?

Richard.Wrinkle
  • 1
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/539632) – lobi Jan 17 '23 at 22:38