[MS-WCCE] §3.2.2.6.2.1.4.5.7 CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT question

Vadims Podāns 9,131 Reputation points MVP
2022-01-12T18:48:22.11+00:00

I have a question on CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag processing rule as outlined in [MS-WCCE] §3.2.2.6.2.1.4.5.7

The document says that:

The CA MUST ignore the CT_FLAG_PEND_ALL_REQUESTS flag.

However, my recent tests show opposite: if both, CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT and CT_FLAG_PEND_ALL_REQUESTS set, later flag wins, i.e. renewal request (as per [MS-WCCE] §3.2.1.4.2.1.4.2.2) is put to pending request state. Either, it is a bug in ADCS implementation (which implements [MS-WCCE] and [MS-CRTD]), or it is doc bug and CT_FLAG_PEND_ALL_REQUESTS is always enforced and cannot be overridden by CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT.

Can you clarify where is the problem? In ADCS implementation or in MS-WCCE docs?

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
42 questions
{count} vote

Accepted answer
  1. Obaid Farooqi MSFT 591 Reputation points Microsoft Employee
    2022-03-10T18:41:32.987+00:00

    Forum update:
    This issue is now resolved.
    The reason the renewal is pending is that the CA expect the SubjectAltName in the previously issued certificate to be either of type cert_alt_name_other_name or cert_alt_name_rfc822_name. The name in the previously issued certificate is of type dns name. For this reason, the renewal gets pended. The document is correct as far as the flags priority is concerned. A bug has been filed against MS-WCCE to add the subjectAltName requirements for renewal.

    Regards,
    Obaid Farooqi - MSFT


2 additional answers

Sort by: Most helpful
  1. Vadims Podāns 9,131 Reputation points MVP
    2022-01-13T09:41:26.343+00:00

    Attaching sample CMC renewal request used in tests. Request was put in pending state although the template setting has enabled CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT flag. Unfortunately, the file upload control is broken on forums, so pasting its content directly:

    -----BEGIN NEW CERTIFICATE REQUEST-----
    MIIOqgYJKoZIhvcNAQcCoIIOmzCCDpcCAQMxCzAJBgUrDgMCGgUAMIIHswYIKwYB
    BQUHDAKgggelBIIHoTCCB50wVTBTAgECBggrBgEFBQcHCDFEMEICAQAwAwIBATA4
    MDYGCSsGAQQBgjcVBwQpMCcGHysGAQQBgjcVCImQBoO+uDuHwY8PhLjyKoHh71Ul
    ARwCAXACAQAwggc+oIIHOgIBATCCBzMwggacAgEAMAAwgZ8wDQYJKoZIhvcNAQEB
    BQADgY0AMIGJAoGBALGevv4NqrgOrWvSaGTQEJf6Jj/pQtqBn4J1MTDg2M0TupK6
    2kWUzbLB1tmGww1tMHV4bbZjReXJD5p+tcCSKRrNnDqDD9PWtUJCgLKCDMW2cJ7E
    fKzIFWGVCiUiPaHaaa1cu07FspgnCqF1akDXK5ubnvAvfzedtGe4h/PL/IOhAgMB
    AAGgggXxMBoGCisGAQQBgjcNAgMxDBYKNS4yLjM3OTAuMjA+BgkrBgEEAYI3FRQx
    MTAvAgEBDA9EQzEuY29udG9zby5jb20MDENPTlRPU09cREMxJAwLc3ZjaG9zdC5l
    eGUwdgYJKoZIhvcNAQkOMWkwZzAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0OBBYEFAby
    O0VSfkvQj9AxGvOGXSXujHYXMDYGCSsGAQQBgjcVBwQpMCcGHysGAQQBgjcVCImQ
    BoO+uDuHwY8PhLjyKoHh71UlARwCAXACAQAwgf0GCisGAQQBgjcNAgIxge4wgesC
    AQEeWgBNAGkAYwByAG8AcwBvAGYAdAAgAFIAUwBBACAAUwBDAGgAYQBuAG4AZQBs
    ACAAQwByAHkAcAB0AG8AZwByAGEAcABoAGkAYwAgAFAAcgBvAHYAaQBkAGUAcgOB
    iQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMIIEGQYJ
    KwYBBAGCNw0BMYIECjCCBAYwggLuoAMCAQICExYHCAkBAgMEBQYHCAkABAAPRbgw
    DQYJKoZIhvcNAQELBQAwRzETMBEGCgmSJomT8ixkARkWA2NvbTEXMBUGCgmSJomT
    8ixkARkWB2NvbnRvc28xFzAVBgNVBAMTDmNvbnRvc28tREMyLUNBMB4XDTIyMDEx
    MjE2NTkyN1oXDTIzMDExMjE2NTkyN1owADCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
    gYkCgYEAxlPRfx/zJZ6eFAzhtmXRnMaxQTiNgHAadYQ8TcHyrLGiWDOR6W1jiiEf
    hriuYbDHEDATuFw/s+BCLn+e9Gk+Hipm+aO1K8NxnWrMkU2wyaEBJAqxm57LQPfo
    RvDE1vqAHrM78A85um56hNvgmKGMNf3Y9SRFsafUxmYpdY8XihUCAwEAAaOCAbQw
    ggGwMDUGCSsGAQQBgjcVCgQoMCYwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwDAYK
    KwYBBAGCNxQCAjA2BgkrBgEEAYI3FQcEKTAnBh8rBgEEAYI3FQiJkAaDvrg7h8GP
    D4S48iqB4e9VJQEcAgFvAgEAMG0GCCsGAQUFBwEBBGEwXzA0BggrBgEFBQcwAoYo
    aHR0cDovL3d3dy5jb250b3NvLmNvbS9wa2kvZGMyaWNhKDQpLmNydDAnBggrBgEF
    BQcwAYYbaHR0cDovL2RjMi5jb250b3NvLmNvbS9vY3NwMB0GA1UdDgQWBBSTA+0+
    ZjcAdbUIohg46luLJE8CRjALBgNVHQ8EBAMCBaAwHQYDVR0RAQH/BBMwEYIPREMx
    LmNvbnRvc28uY29tMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly93d3cuY29udG9z
    by5jb20vcGtpL2RjMmljYSg0KS5jcmwwHwYDVR0jBBgwFoAUWyIEl7c3FCe0KfF8
    2QwEj2XhhXAwKQYDVR0lBCIwIAYIKwYBBQUHAwIGCCsGAQUFBwMBBgorBgEEAYI3
    FAICMA0GCSqGSIb3DQEBCwUAA4IBAQAm8/4c7togtER8MZwiWP77HgT9jtiUO6xP
    PloD+BGTC6GhgaGmBDKYwUCMPN5d2DhvVinRNvOTRq27FEHDewhOoldtoPdEyDwA
    OVrNA3EUQslBoJi3d4Etdy2NwxI32ghC4rxH2vQnjJHt83Y6AMrUYnXDPTAtq8GV
    M9KxlW2yAe54wLZI/kkzUqA9CQXnw2nxXGnDel+fFJoZu3B+XQFmy3h5jrSCACrl
    FnNEJKnoUoLPMuWkyfUgA3+3KzacBC+JS/MsA6RDfEqzS8vaFLPQRMMeR5R+pC27
    KnSamdyl7mrIByCltuu6jqsq9ZsuIXk13v/wJP45dwynvXUmJQOIMA0GCSqGSIb3
    DQEBBQUAA4GBAKfqMWJu1W1TNT5Rrj0nLNSPWBlXNtD0gghuH+8D4gXTPH0htDlW
    O0MLW8aHVRJ5Pq1rDTukZXCKFceQE9KXgoUnqCCWS5p2dFlEWPVTDiGi1G/7mn76
    tdEne1B1Wdz7QfuQb/AGW2s2Su6tDrQ0SpoMNwJVTfu58fB8kvtIENPtMAAwAKCC
    BAowggQGMIIC7qADAgECAhMWBwgJAQIDBAUGBwgJAAQAD0W4MA0GCSqGSIb3DQEB
    CwUAMEcxEzARBgoJkiaJk/IsZAEZFgNjb20xFzAVBgoJkiaJk/IsZAEZFgdjb250
    b3NvMRcwFQYDVQQDEw5jb250b3NvLURDMi1DQTAeFw0yMjAxMTIxNjU5MjdaFw0y
    MzAxMTIxNjU5MjdaMAAwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMZT0X8f
    8yWenhQM4bZl0ZzGsUE4jYBwGnWEPE3B8qyxolgzkeltY4ohH4a4rmGwxxAwE7hc
    P7PgQi5/nvRpPh4qZvmjtSvDcZ1qzJFNsMmhASQKsZuey0D36EbwxNb6gB6zO/AP
    ObpueoTb4JihjDX92PUkRbGn1MZmKXWPF4oVAgMBAAGjggG0MIIBsDA1BgkrBgEE
    AYI3FQoEKDAmMAoGCCsGAQUFBwMCMAoGCCsGAQUFBwMBMAwGCisGAQQBgjcUAgIw
    NgYJKwYBBAGCNxUHBCkwJwYfKwYBBAGCNxUIiZAGg764O4fBjw+EuPIqgeHvVSUB
    HAIBbwIBADBtBggrBgEFBQcBAQRhMF8wNAYIKwYBBQUHMAKGKGh0dHA6Ly93d3cu
    Y29udG9zby5jb20vcGtpL2RjMmljYSg0KS5jcnQwJwYIKwYBBQUHMAGGG2h0dHA6
    Ly9kYzIuY29udG9zby5jb20vb2NzcDAdBgNVHQ4EFgQUkwPtPmY3AHW1CKIYOOpb
    iyRPAkYwCwYDVR0PBAQDAgWgMB0GA1UdEQEB/wQTMBGCD0RDMS5jb250b3NvLmNv
    bTA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vd3d3LmNvbnRvc28uY29tL3BraS9k
    YzJpY2EoNCkuY3JsMB8GA1UdIwQYMBaAFFsiBJe3NxQntCnxfNkMBI9l4YVwMCkG
    A1UdJQQiMCAGCCsGAQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAjANBgkqhkiG
    9w0BAQsFAAOCAQEAJvP+HO7aILREfDGcIlj++x4E/Y7YlDusTz5aA/gRkwuhoYGh
    pgQymMFAjDzeXdg4b1Yp0Tbzk0atuxRBw3sITqJXbaD3RMg8ADlazQNxFELJQaCY
    t3eBLXctjcMSN9oIQuK8R9r0J4yR7fN2OgDK1GJ1wz0wLavBlTPSsZVtsgHueMC2
    SP5JM1KgPQkF58Np8Vxpw3pfnxSaGbtwfl0BZst4eY60ggAq5RZzRCSp6FKCzzLl
    pMn1IAN/tys2nAQviUvzLAOkQ3xKs0vL2hSz0ETDHkeUfqQtuyp0mpncpe5qyAcg
    pbbruo6rKvWbLiF5Nd7/8CT+OXcMp711JiUDiDGCAr4wggE2AgEDgBQG8jtFUn5L
    0I/QMRrzhl0l7ox2FzAJBgUrDgMCGgUAoH4wFwYJKoZIhvcNAQkDMQoGCCsGAQUF
    BwwCMCMGCSqGSIb3DQEJBDEWBBSKsjsejZziWw+FwNU0yMZcFVxzcTA+BgkrBgEE
    AYI3FRQxMTAvAgEBDA9EQzEuY29udG9zby5jb20MDENPTlRPU09cREMxJAwLc3Zj
    aG9zdC5leGUwDQYJKoZIhvcNAQEBBQAEgYAOVszcd+Dykw/ZJMjrTS9sX9zvu9Db
    r7Fc4SVVNG6hvPEFDrR0TUrUxRs7R9yyFDMXPKgvdtps+NK0XVVcu2u9wSvVGwln
    8pJiAT8Hy8LmC8dOA4aZKuuQZZQpTK26OO+sVg6Q086gE4x2OtWW5B4Kkit8IlFO
    wOFqFh78NZ28rjCCAYACAQEwXjBHMRMwEQYKCZImiZPyLGQBGRYDY29tMRcwFQYK
    CZImiZPyLGQBGRYHY29udG9zbzEXMBUGA1UEAxMOY29udG9zby1EQzItQ0ECExYH
    CAkBAgMEBQYHCAkABAAPRbgwCQYFKw4DAhoFAKB+MBcGCSqGSIb3DQEJAzEKBggr
    BgEFBQcMAjAjBgkqhkiG9w0BCQQxFgQUirI7Ho2c4lsPhcDVNMjGXBVcc3EwPgYJ
    KwYBBAGCNxUUMTEwLwIBAQwPREMxLmNvbnRvc28uY29tDAxDT05UT1NPXERDMSQM
    C3N2Y2hvc3QuZXhlMA0GCSqGSIb3DQEBAQUABIGAc1odKBk29tGkjOAPVjldomEm
    +xGiMzpBZRUmhvcy6XhMwZ5/ys7wnxmI64x7oQv08+/0C5xCB/hCyEOYDvhWWK2g
    xIWq5uXGNq7pya5x+SSXHJNKxnSuhQ2GLbN4Ea2D4tjfm9IDyJWLoQFIyz9GkDvX
    f5PkMyBIotzgYywRKRE=
    -----END NEW CERTIFICATE REQUEST-----
    
    1 person found this answer helpful.
    0 comments No comments

  2. Jeff McCashland 6 Reputation points
    2022-02-23T17:10:19.933+00:00

    Hi Crypt32,

    I was able to reproduce the result you reported where the certificate renewal request was unexpectedly pended even though CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT was set.

    Based on my analysis of the traces, the issue is not that the PREVIOUS_APPROVAL flag is not overriding PEND_ALL_REQUESTS, as the code does in fact attempt to do so. However, it is encountering an error (at least in my case) “Bad Renewal Name”. The name on the certificate is the DNS name DC01.lab.local. However it appears to be looking for a UPN rather than a DNS name.

    Best Regards,
    Jeff McCashland
    Microsoft Open Specifications


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.