Archive

Archive for the ‘certificate requests’ Category

Request File Can’t be Located during CA Certificate Renewal

May 29th, 2012 No comments

During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.

After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:\%1_%3%4.req. I followed these steps to fix this issue:

  1. Start the Registry Editor
  2. Navigate to HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\<CASanitizedName>
  3. Locate the Registry String RequestFileName
  4. Change the value from a:\%1_%3%4.req to C:\%1_%3%4.req
  5. Stop and Start the Certification Active Directory Certificate Services service

I was then able to create the Request File and submit it to the Offline Root CA to process it.

 

Request File Can’t be Located during CA Certificate Renewal

May 29th, 2012 No comments

During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.

After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:\%1_%3%4.req. I followed these steps to fix this issue:

  1. Start the Registry Editor
  2. Navigate to HKLM\System\CurrentControlSet\Services\Certsvc\Configuration\<CASanitizedName>
  3. Locate the Registry String RequestFileName
  4. Change the value from a:\%1_%3%4.req to C:\%1_%3%4.req
  5. Stop and Start the Certification Active Directory Certificate Services service

I was then able to create the Request File and submit it to the Offline Root CA to process it.

 

Request File Can’t be Located during CA Certificate Renewal

May 29th, 2012 No comments

During my work with a customer renewing their Issuing CA’s certificate based on the steps documented in this article, I discovered that the Request file generated couldn’t be located in the default location of %systemDrive% . The Issuing CA didn’t log any errors in the Event Log, nor did it post any error messages. I also searched for all files with the extension *.req on all drives, and still couldn’t find the file.

After some more research, I discovered that my customer changed the default location of the RequestFileName Registry Key during their installation to a drive that no longer exists on the CA. The location configured was a:%1_%3%4.req. I followed these steps to fix this issue:

  1. Start the Registry Editor
  2. Navigate to HKLMSystemCurrentControlSetServicesCertsvcConfiguration<CASanitizedName>
  3. Locate the Registry String RequestFileName
  4. Change the value from a:%1_%3%4.req to C:%1_%3%4.req
  5. Stop and Start the Certification Active Directory Certificate Services service

I was then able to create the Request File and submit it to the Offline Root CA to process it.

 

CA manager approval required for certificate re-enrollment

March 8th, 2011 Comments off

Hi there, this is Larry, Developer from US, and Fabian, PFE from Germany, writing about an uncommon scenario that might raise questions sometimes.

When enrolling certificates to clients or users, you might want to have control regarding the initial enrollment of the certificate in order to decide, if the specific device or user really should have a certificate based on a specific template. Therefore you want to implement the following procedure:

  1. The initial enrollment (regardless if performed by manual respectively scripted enrollment or autoenrollment) should be issued only with CA certificate manager approval.
  2. When this certificate reaches the end of validity period and if there is a valid certificate / private key combination, the certificate renewal should be performed automatically without CA certificate manager approval.

As you can see in the first line “Require the following for enrollment:”, the option “CA certificate manager approval” enables controlled issuance for certificates. The tick box “Require the following for reenrollment” with option “Valid existing certificate” allows reenrollment to occur without requiring CA manager approval.

Generally speaking this is possible, but there are caveats:

Online Templates

If using templates that are configured to obtain the subject information from the Active Directory account object, you may run into the problem that the reenrollment does not occur without manager approval. The renewal request may still be taken under submission and require you to issue them manually as a CA certificate manager:

This may occur if the SAN does not contain either a User principal name (UPN) or E-mail name:

When the CA is processing a renewal request, there is a name match performed against the subject information within the certificate. The naming information in the signing cert (the one being renewed) needs to match that being requested. In performing the name match, however, the CA is only looking for specific items. This name match requires that the original certificate conains either a UPN or E-mail name (or both) within the SAN extension, that matches that defined on the AD account object. In order for this name match to be successfulI, if this information is not present within the original certificate the renewal request goes pending:

The workaround for this is simple: Configure your V2 or V3 template to include the UPN or E-mail name within the SAN and renewals will succeed as expected:

In the event that the SAN information within the certificate being renewed, is different than that defined on the AD account object, such as in the case of an account re-name, the renewal request may also go pending. If the signing cert contains only the UPN or E-mail name, then that name must match what is defined on the AD account object. However, if both the UPN and E-mail name are present, only one need match in order for the renewal to be successful without requiring CA manager approval.

The described behavior holds true for both user and computer templates.

Offline Templates

The behavior for offline templates, where the subject information is provided within the certificate request, the behavior is different. When a renewal request for an offline template is evaluated, a similar naming match is performed, however, today only the Subject is evaluated and SAN information is ignored.

Cheers!

Categories: certificate requests Tags: