Populate Subject Name for Offline Templates on Renew
Offline templates are certificate templates that require the subject name to be part of the certificate request. The certificate authority will use the subject name supplied in the request as the subject name of the certificate to issue. This is different from online templates where the Microsoft Certificate Authority (CA) looks in Active Directory (AD) to determine the subject name for the certificate to issue.
You can configure this on the certificate template snap-in. See screen shot below [Figure 1]. The checkbox that says: “Use subject information from existing certificates for autoenrollment renewal requests” is available only in Windows Server 2008 R2.
Figure 1: Subject Name tab of certificate template snap-in. “Supply in the request” means it is an offline template.
Pre-Windows 7, the auto-enrollment client would not auto-renew machine certificates whose certificate template was an offline template [Table 1: row 1, column 4]. Also, Pre-Windows 7, user certificates whose certificate template was an offline template would require user interaction during renew so that the user could type in the subject name to be included as part of the certificate request [Table 1: see row 3, column 4].
On Windows 7, the auto-enrollment client will auto-renew machine certificates whose certificate template is an offline template only if the “Use subject information from existing certificates for autoenrollment renewal requests” checkbox is turned on [Table 1: row 2, column 4]. This option is only available in Windows Server 2008 R2 for version 2 or version 3 machine templates. The behavior for user certificates in Windows 7 is unchanged.
Client Operating System | Machine Or User | Auto-Enroll | Auto-Renew |
---|---|---|---|
Pre-Windows 7 | Machine | No | No |
Windows 7 | Machine | No | Yes – With “Use subject from existing certificates” option from server |
Pre-Windows 7 | User | Yes – With UI Pop-up | Yes – With UI Pop-up |
Windows 7 | User | Yes – With UI Pop-up | Yes – With UI Pop-up |
Comments
Anonymous
January 01, 2003
Did you solve this, Jan S? I would try manually exporting and importing the certificate from the user store to computer store. I've had issues when using drag and drop.Anonymous
March 02, 2011
I tried to "Use subject information from existing certificates for autoenrollment renewal requests" for my SAN(SSL)-certificates. My PKI 2008 R2 works fine and I created a template for my Webserver. The SAN-certificate was requested through the IIS (https://localhost/certsrv). Of course, I had to drag and drop the registered certificate from the user store to the local computer store, so the IIS could find it. I would like to Auto-Renew my SAN-certificate with GPOs or manually, but if I do so in the certmgr.msc, I get an Errormessage: "Wrong Parameter".